Security Now 1068 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte [00:00:00]:
It's time for Security Now. Steve Gibson is here. A show we recorded a little bit early because we're going to Zero Trust World in Florida. We have lots to talk about though, jam-packed programming. Uh, we're going to talk about scattered lapsus hunters. They're looking for female voices for their social engineering. Uh, AI hacking, is it here? Yes, it is. And a very potent click-fix exploit When you see how this works, you might wonder how you didn't get bit by it.

Leo Laporte [00:00:31]:
All of that coming up next on Security Now.

TWiT.tv [00:00:36]:
Podcasts you love from people you trust.

Leo Laporte [00:00:40]:
This is TWiT. This is Security Now with Steve Gibson, episode 1067, recorded Sunday, March 1st, 2026. Konk Tooks crash fix security, a weird Sunday edition, a one-off. Yes, let's do it. Never do it again.

Steve Gibson [00:01:04]:
Let's never do—

Leo Laporte [00:01:06]:
When's your, uh, when's your flight, Mr. G? Uh, you muted us. I know, I'm setting up. When's your flight, Mr. G?

Steve Gibson [00:01:16]:
Um, we head out of San Diego tomorrow morning.

Leo Laporte [00:01:18]:
San Diego? Why that?

Steve Gibson [00:01:20]:
Because we have a shitty little airport here in Orange County.

Leo Laporte [00:01:24]:
I like the John Wayne. Oh, but you probably can't get to Orlando from there.

Steve Gibson [00:01:28]:
I couldn't get a flight to your airport, which is similarly sized.

Leo Laporte [00:01:34]:
Similarly shitty, yes.

Steve Gibson [00:01:35]:
With the Charlie Brown statues.

Leo Laporte [00:01:38]:
Yes.

Steve Gibson [00:01:39]:
I couldn't get it. And it happened it was on my birthday, of all things, that if there was finally direct service for the first time from my shitty little airport to your shitty little airport.

Leo Laporte [00:01:50]:
Yeah, so we can come visit you now.

Steve Gibson [00:01:52]:
There's no excuse.

Leo Laporte [00:01:53]:
Yeah.

Steve Gibson [00:01:53]:
And, uh, hey, but, but anyway, it's not— but we had the— if we didn't leave out of San Diego, the— and we left out of Orange County, an 8-hour layover was the only way.

Leo Laporte [00:02:06]:
Oh, that's absurd.

Steve Gibson [00:02:07]:
Between point A and point B. OMG.

Leo Laporte [00:02:11]:
So yeah, so, um, how long—

Steve Gibson [00:02:15]:
we don't get in.

Leo Laporte [00:02:15]:
Thank you.

Steve Gibson [00:02:17]:
Well, so, uh, it's about— and well, the problem is that we, we come down the 5 And San Diego is no longer a sleepy little port, you know, a little military port. It's a big deal. So now its commute traffic has gotten really bad. So, but, but the good news is we don't actually depart until 11:30, so we'll probably be catching the tail end of the commute traffic anyway. So we're going to head out at 7, go down, park. I have a buddy who flies out of San Diego all the time because, because he's, he's a satellite engineer for Yes. And so there's little tricks, like you can pre-purchase your parking online.

Leo Laporte [00:02:57]:
Yes.

Steve Gibson [00:02:57]:
And get a QR code. So you just scan yourself in. Yeah. And, and other little goodies.

Leo Laporte [00:03:02]:
So, uh, so how long does it take?

Steve Gibson [00:03:06]:
Uh, so an hour and a half if there weren't—

Leo Laporte [00:03:09]:
it's kind of like going to San Francisco traffic. Yeah.

Steve Gibson [00:03:13]:
Uh, yeah, you can't get there. I have— I, in fact, a nephew of mine takes the— who lives in Napa, uh, with— and works for Salesforce, sometimes has to go into the city, and he doesn't even try.

Leo Laporte [00:03:27]:
He, he gets on a ferry somewhere and like, yes, you know, go to Larkspur, take the ferry.

Steve Gibson [00:03:31]:
And when my sister visits her son, my nephew, they fly into Sacramento because that's better than— I mean, anything is better than trying to get to, you know, Napa from San Francisco. It's course you guys have a goat trail that connects you to— which is the way you like it, right?

Leo Laporte [00:03:50]:
We're going to, uh, we're going to SFO because for the same reason it would be ridiculous to fly out of Santa Rosa. But, uh, the good news is we just get a car service and we get in there and we sit back and we take a nap, we listen to our— it's just, it's just, we don't do anything. And it, and it is only an hour and 15 when there's no traffic, which We're leaving, our flight is at, uh, 1:30, so we're not leaving.

Steve Gibson [00:04:14]:
Oh nice, so you'll be able to go midday or late morning traffic.

Leo Laporte [00:04:18]:
Yeah, yeah.

Steve Gibson [00:04:19]:
And, and so, so basically we head out at 7 and we arrive at 7. It's 7 or 9, it's late because of the 2-hour time change. Yeah, yeah, time change and so forth. But yeah, we're getting it, you know. And then, and then I saw that you guys are grabbing a car, we're also going to grab a car, so we'll have a Well, yeah, because you're going to visit, you're going to see people.

Leo Laporte [00:04:41]:
Yeah, we're going, uh, we're going to do a Kennedy Space Center, which is—

Steve Gibson [00:04:45]:
I'm the big, uh, the big dilemma has been resolved, and that is who's going to feed the squirrels. Because when we, when we, when we went off on our European trip—

Leo Laporte [00:04:56]:
you can go live. Did you go live already, John?

Steve Gibson [00:04:58]:
Oh, we've been live.

Leo Laporte [00:04:59]:
Oh good, okay.

Steve Gibson [00:05:00]:
Yeah, when, when we went off on our European trip we found this big bucket.

Leo Laporte [00:05:06]:
Squirrel suicide.

Steve Gibson [00:05:07]:
No, no, which we filled with peanuts. We were, at that time, we were feeding them peanuts in the shell, which we thought was cute until the entire, I mean, there were shells everywhere after a few years.

Leo Laporte [00:05:21]:
Yeah, well, they're not gonna eat the shells.

Steve Gibson [00:05:22]:
Oh my God.

Leo Laporte [00:05:24]:
They're not dumb.

Steve Gibson [00:05:25]:
But one of our security cameras showed that, so the idea was, I actually have photos, they're pretty cute. We had a huge bucket with a little squirrel ladder going up the side so they were able to climb.

Leo Laporte [00:05:37]:
But Lori is just like Lisa. Lisa feeds the turkeys. Yeah, well, as a result, the turkey population—

Steve Gibson [00:05:48]:
that's the problem. That's the problem is, first of all, our squirrels are fat and there's many more of them than there used to be because they realized, hey, we can— we, we have a food source, so we can expand our party. Consequently, there's a big issue with our We're leaving, like moving in a couple of months into our new place. And because I'm determined that my problem is I effing hate crows. We have these crows that are the size of a crow.

Leo Laporte [00:06:17]:
You're a crow hater.

Steve Gibson [00:06:19]:
I'm a crow hater. They're like the size of a dog.

Leo Laporte [00:06:21]:
And they're smart. They're so smart.

Steve Gibson [00:06:23]:
They're diabolical. I hate them. And so they like wait till no one's watching and then they swoop down and steal walnuts from the squirrels. Well, these are not your walnuts, you crows. Uh, these are— anyway, so we are determined not to do this again.

Leo Laporte [00:06:41]:
We're—

Steve Gibson [00:06:42]:
when we move, no, nothing's being fed. Hopefully we've had our fill of it.

Leo Laporte [00:06:46]:
But that's what we did. We moved away so we didn't have to feed the turkeys anymore. And Lisa did the exact same thing. She said never again.

Steve Gibson [00:06:54]:
Anyway, we have house sitters so that, so that the animals will continue to be fed the diet to which they have become accustomed and spoiled. So, but when you move, you're not going to do that anymore. No, we're not. We're not going to make the mistake again. Anyway, what I was going to say was that, so we left this big barrel with this cute little squirrel ladder coming up the side. And I happened to check. I don't remember. We hadn't gotten very far on our trip when I checked one of our cameras and the barrel had been knocked over and the nuts had been spilled.

Steve Gibson [00:07:29]:
And it was just a free-for-all. Now, it wasn't ever very practical because squirrels are like, are like monopole magnets. They repel each other. They're like, they will, they're not only one at a time, they're not herd animals. They're not like a pack of wolves, right? They, yes, they, they, something about they, I don't know if they're like, if they're horny or what's going on.

Leo Laporte [00:07:53]:
This is fun. This is why you do this because you have, now you can observe their interesting behaviors.

Steve Gibson [00:07:58]:
Oh yes, we are quite nature observers.

Leo Laporte [00:08:01]:
That's what happens when you get old. Although I just saw an article that said bird watching is a good way to avoid dementia. I don't know, I'm not starting to bird watch, but apparently it's good for you.

Steve Gibson [00:08:12]:
Maybe the problem is if you're a— if someone is a bird watcher, you can't tell whether they're demented. It's like, well, they watch birds. Oh, that's great. No, that might be the first symptom. Oh, Ruby Throated.

Leo Laporte [00:08:27]:
I have your 5— count them, 5 ads. Nothing about being on a Sunday makes any difference when that— when it comes to that. I have your show notes. Kong took Kong.

Steve Gibson [00:08:38]:
And you do have a deadline in 3 hours.

Leo Laporte [00:08:41]:
So we should get going.

Steve Gibson [00:08:42]:
Are you ready? You are?

Leo Laporte [00:08:44]:
Are you ready? I want to continue this story. I'm fascinated. We miss our— we miss our— you know what we miss the most is Bob the Peacock. But yeah, we still have crows, but we don't feed them.

Steve Gibson [00:08:56]:
And I'll tell you, Leah, when they come to the glass, our back glass door, stand up like little meerkats and then put their paw on and look in like, where's the nut lady? Where's the nut lady?

Leo Laporte [00:09:10]:
The nut lady's gone.

Steve Gibson [00:09:11]:
Isn't it Sunday brunch? Where's the nut lady?

Leo Laporte [00:09:15]:
Where's the nut lady? Eat nut lady. Uh, feed us. Oh, that's—

Steve Gibson [00:09:22]:
however, we do have very prolific pine trees, and so although they have to work, it's probably good for them, right, to chew on something a little harder than a— we have weaned them from the walnuts. Walnuts make them almost go into some sort of a drug haze. But so peanuts are— we like stepped them down. Also, the expense. Oh my God, we were spending so much money on walnuts.

Leo Laporte [00:09:47]:
So we now go to the— well, we don't do this anymore, which same thing. Lisa was buying premium sunflower seeds, like for humans.

Steve Gibson [00:09:56]:
Organic walnuts, honey. We're only the best for our squirrels.

Leo Laporte [00:10:00]:
So we— so she started going to the feed store to get—

Steve Gibson [00:10:02]:
their fur is soft and glistening. They've got a high oil content.

Leo Laporte [00:10:08]:
They're getting all those delicious tannins. Oh, yum yum. That's right. That is his— you know what, Lori and Lisa are going to get along. That's very cute. Wow. I'll have to tell Lisa. She will like that story.

Leo Laporte [00:10:22]:
She told me. We don't feed the deer. We have deer and we have crows, but that's about it. We're going to do bird feeders. I have a feeling. I think it's—

Steve Gibson [00:10:31]:
I mean, I have a laser that is strong enough to hurt a crow, but—

Leo Laporte [00:10:35]:
Oh, don't hurt the poor— they're smart.

Steve Gibson [00:10:37]:
I'm on the verge. But no, the other problem is we have lots of planes flying around and they're not happy with lasers.

Leo Laporte [00:10:45]:
So no, especially green ones.

Steve Gibson [00:10:46]:
Yeah, I've avoided— but you know, a black crow, that would absorb the laser energy really well. I've spent some time fantasizing about—

Leo Laporte [00:10:57]:
don't ever tell anyone. After the portable dog killer story, you've got to be very careful now.

Steve Gibson [00:11:02]:
That is true.

Leo Laporte [00:11:03]:
You don't want Homeland Security knocking at your door. Actually, they probably hate crows just as much as you do. All right. Let's go. Showtime, ladies and gentlemen. Thank you for joining us early. All you Club Twit members got the notification. Ooh.

Leo Laporte [00:11:19]:
Oh, you know what happened? I have a timer at 11 a.m. I had set it to Security Now and I have a timer at 11 a.m. that automatically changes it to Twit. They won't do it again. I don't think.

Steve Gibson [00:11:31]:
That's nice. You've got automation. Thank you.

Leo Laporte [00:11:33]:
Oh, it's totally automated. Yeah.

Steve Gibson [00:11:34]:
Something.

Leo Laporte [00:11:35]:
Yeah. But except for that doesn't work so well when I do a show off schedule. Oh, everything's automated. In fact, I had to, because I was leaving town, I had to move all of my systemd services over to the framework, which stays on. And I had to move my Claude. I had to turn on remote control on my Claude and put it in tmux so I can log in. I don't know if I can SSH actually.

Steve Gibson [00:11:59]:
What's happening with the house remodeling project?

Leo Laporte [00:12:02]:
We are almost done. Oh, yeah. The scaffolding is gone. The stucco is finished. They said it all to New York.

Steve Gibson [00:12:10]:
New York got all the scaffolding.

Leo Laporte [00:12:14]:
You don't want to know how much we paid for that scaffolding. Actually, we caught the contractor overbilling because Lisa smart, wisely went to the scaffolding company and said, how much did you charge our contractor? And he was— oh, he was like doubling it. So we were waiting to hear back from him. He suddenly has gone radio silent when Lisa confronted him with the evidence, say, "Well, we'll pay you what you paid them plus your 20% profit, but we're not going to pay you 50% on what you paid them." We also saw a scaffolding-related cost.

Steve Gibson [00:12:48]:
I didn't realize that having people up on a scaffold, you pay extra for that.

Leo Laporte [00:12:52]:
Oh, because of liability.

Steve Gibson [00:12:53]:
Yes. Hazard. Hazard pay.

Leo Laporte [00:12:56]:
Yeah. It's a learning process, isn't it?

Steve Gibson [00:13:02]:
Well, so now all of Club Twit and our listeners are figuring out why we just wait for the recording rather than, uh, no.

Leo Laporte [00:13:10]:
Yes, you don't want to hear this. We do. You shouldn't have to hear this.

Steve Gibson [00:13:14]:
We love our live listeners. I think some people would actually love to hear Steve's opinion.

Leo Laporte [00:13:18]:
Well, if you're interested, we do preserve these pre-show and post-show conversations.

Steve Gibson [00:13:23]:
This will be in the TwitPlus feed.

Leo Laporte [00:13:24]:
It's in the TwitPlus feed.

Steve Gibson [00:13:26]:
I'm just going to let everyone know. This will happen in the TwitPlus feed. Of Steve's, uh, uh, hatred of crows. Crows would tend to absorb radiation quite well. Don't say it again.

Leo Laporte [00:13:40]:
Especially those green lasers. I didn't know it, but the green lasers do an order of magnitude more power than the red.

Steve Gibson [00:13:45]:
This thing will pop a balloon. It's really cool.

Leo Laporte [00:13:51]:
Yeah, that's everywhere. On that note, exploding crows. Now you know why they call it a murder of crows. All right, here we go. It's time for Security Now. Hello everybody. Normally I would say you wait all week for Tuesday, but, uh, if you're watching live, it's Sunday, March 1st. Steve and I are headed off to Orlando, Florida tomorrow for the incredible Zero Trust World Conference put on by ThreadLocker.

Leo Laporte [00:14:19]:
So we thought we'd do, uh, Secure Now a little early. Those of you who listen, after the fact. We'll get the show at the same time, so you're going, what are they talking about? But you know, the only reason I mentioned this, Steve, you probably want to mention it too, is that if anything happens on Monday, Monday, it won't be in the show till next week.

Steve Gibson [00:14:39]:
Well, and this has been actually a problem I've been conscious of because I've now got in the habit of preparing Tuesday's show on the previous weekend, Saturday and Sunday. So already things are like that. And there have been a couple times where I've made notes for the following podcast, or— and I try to make a note of this— I— there have been addition, uh, numbers of the show notes where I've— after the mailing, which by the way went out yesterday, uh, in the early evening, everybody got that, um, I've made notice that, you know, okay, I've updated the show notes because, you know, stuff has happened since.

Leo Laporte [00:15:18]:
So yeah, I have to do that for our shows too. I, uh, it's— yeah, it's just a— yeah, because we want to be up to date.

Steve Gibson [00:15:25]:
So March 1st, uh, I assume your NASes have reported in, as mine have, that all looks good. No, nothing to see here.

Leo Laporte [00:15:33]:
At the first of the month, your NAS says hello? Yeah, yeah, mine probably does too, but I don't check it in. I have a folder where all the NAS messages go, but I haven't I don't ever check it, so.

Steve Gibson [00:15:45]:
Okay, so check it. Uh, we're gonna talk about a bunch of things. This was— this is a jam-packed news and opinion, a little editorial, which seems to be what our listeners prefer.

Leo Laporte [00:15:58]:
Oh yeah, we care about what you think for sure.

Steve Gibson [00:15:59]:
I called this Tong Kong Tooks Crash Fix, which is a tongue twister. What's Tong Tooks? Unless you're a Klingon, in which case Kong Tooks. Kong Tuk. Very much like, yeah, very much like Klingon. Uh, uh, it's the name that I can't forget. I can't remember the name. Uh, I mean, I can't remember the security firm. We'll get to it.

Steve Gibson [00:16:25]:
Uh, it's just a, it's a bad guy's, uh, moniker that, uh, one of the firms have, uh, have.

Leo Laporte [00:16:33]:
They're obviously Klingon fans or Star Trek fans, right?

Steve Gibson [00:16:37]:
Yeah, yeah. I mean, where would Kong Tuk come from? It doesn't sound like Normally the names come from the reverse-engineered code where some reference is found to like, you know, the kongtook.com domain or something. Anyway, we don't know, uh, but there is a— it's been an evolution of this problem that Microsoft is going to have to, as they used to say, I don't know when, belly up to the bar and fix.

Leo Laporte [00:17:05]:
That's the best way to fix it. Maybe that's how the bug happened in the first place.

Steve Gibson [00:17:10]:
Okay, so we, we're going to start with the lowdown on last week's No Turns Allowed Picture of the Week, which captured our audience's imagination like few others have, although we've got another good one, uh, this week. Uh, we're going to look at whether, uh, an AI-driven hacking campaign is a big deal now, uh, and Claude used in multiple Mexican government attacks. Yeah. Apple continuing to confront age restriction legislation. Got some on that. Also, it turns out that COPPA, the Child Protective Act, is going to need an exception for the age collection, which other legislation is now requiring.

Leo Laporte [00:17:59]:
So it should be a hint that there's something wrong here. Exactly. Oh, you don't want to protect kids online when it comes to that. Yeah, it's—

Steve Gibson [00:18:07]:
yeah, right, exactly. Also, um, Meta is using an AI which is— I'm noticing also, Leo, that this term AI slop just immediately achieved traction. Like, everyone knows what AI slop is. It's, it's surprising how quick the adoption was. Anyway, we got AI slop CSAM reports that are drowning law enforcement in false positives. We'll take a look at that. Also, our favorite internet watchdog, Roskomnadzor, has been busy blocking VPNs, but you will never believe how many. The UK makes an effort at reporting on the success of their self-scanning initiative, although there's something fishy about their report, which we're going to look at.

Steve Gibson [00:19:01]:
And Leo, I knew, I actually, I knew when I saw this, you would remember that hacker who was extorting psychotherapy patients whose data had been exfiltrated from their psychotherapy center.

Leo Laporte [00:19:16]:
How low can you get?

Steve Gibson [00:19:18]:
We've actually heard back about this process. That was in 2020, so 6 years ago. Anyway, he's back in the news. It turns out that Scattered Lapses Hunters, uh, is actively recruiting women, and we're going to find out why. Cisco lands— boy, no one does it like Cisco— another breathtakingly rare 10.0 CVSS. Just, you know, duck and cover, as they used to say. Also, I mean, all bunch of— we've got Volnchek's report on 2025 vulnerabilities and exploits. Just a little tip of the iceberg there.

Steve Gibson [00:20:00]:
It's probably going to be our topic next week because there's lots of juicy information there. I have discovered a fabulous $72 hardware security module that does all my code signing, multiple certificates, open source. It's fantastic. I'll be talking about that a little bit. Because I know that from, from previous, uh, feedback from our, from our listeners that, you know, anybody who needs to sign code needs something like this. Uh, we have a listener sharing an interesting AI service discovery, and then the very potent ClickFix exploit is evolving, now being used by the Klingonese outfit Kongduk for something called CrashFix. And of course, what would a podcast be without a picture of the week? And, uh, I've already had a lot of feedback saying he should have used a different screw. A security screw would have been better.

Steve Gibson [00:20:59]:
It's like, okay, thank you. That's true. You'll see.

Leo Laporte [00:21:02]:
Yeah, for last week's picture, we got a confirmation from a number of people that that is a real picture from Canada, and that really did happen.

Steve Gibson [00:21:09]:
And the local government was embarrassed. I have a link to the actual story saying, uh, we're sorry, That was a dumb thing to do.

Leo Laporte [00:21:18]:
Hey, it's a very special Sunday Security Now with Mr.— I didn't introduce you, but I think everybody knows that's Steve Gibson.

Steve Gibson [00:21:25]:
If they're here, they're like, okay, they know.

Leo Laporte [00:21:28]:
They know who you are. Move on. Yes. And we are so glad to have you on the show this week. Glad you're watching. Those of you who are alive and figured out we were going to be doing this early, we're glad you're here.

Steve Gibson [00:21:40]:
Our show today, those of you who are dead, You know, though, yeah, you wouldn't—

Leo Laporte [00:21:44]:
you're not watching it, you're not missing a thing though. So, well, maybe, I don't know. I don't— I think if you've passed, you don't have to worry about security so much.

Steve Gibson [00:21:52]:
Opinions vary on that topic.

Leo Laporte [00:21:55]:
Yes, we don't know. We don't know. That's— we'll just have to wait and find out. Uh, this episode of Security Now is brought to you by Meter, the company building better networks. I love this idea. Meter was started by two network engineers who realized the pain points as they built their own networks of legacy hardware, legacy software, not controlling the stack, ISPs who blame the router, the router companies who, who blame the security devices. And if you're a network engineer, I think you know this as well. You've got legacy providers, you've got inflexible pricing, you've got IT resource constraints.

Leo Laporte [00:22:37]:
That's a, that's a permanent, right? Stretching you thin. Then you also have complex deployments across fragmented tools. This is often the case when your company does acquisitions, right? You got a warehouse in Muncie suddenly has to work with the home office in, in, you know, Minnesota. And the thing is just a mess. And the funny thing is you and your networks are mission critical to the business, but you're stuck working with infrastructure that just wasn't built for today's demands. Enter Meter. They know your pain. That's why companies are switching to Meter.

Leo Laporte [00:23:11]:
Meter delivers full-stack networking infrastructure. They realized if we're going to make a good, solid, robust network for the future and the present, we got to control the entire stack. So they do it all— wired, wireless, cellular. They build for performance, they build for scalability. Meter does it all. They design the hardware, they write the firmware, they build the software. They will manage the deployment. They'll even provide support.

Leo Laporte [00:23:37]:
Even ISP procurement. They will help you with that too. Security, of course, routing, switching, wireless, firewall, cellular, power, DNS security, all the pain points, VPNs, SD-WANs, multi-site workflows. And it's all in a single solution from a single vendor. So that's one phone number. To call if there's something wrong, one place to go for support. They take care of it all. Meter's single integrated networking stack scales.

Leo Laporte [00:24:08]:
They, they're in major hospitals. They work in branch offices, that Muncie office, they can handle it, warehouses, large campuses, even data centers. Reddit uses Meter in their data centers. The assistant director of technology for Web School, another great customer, Web School of Knoxville, they had a problem. He said, quote, we had more than 20 games, athletic events, on campus simultaneously between our two facilities. Each game was streamed via wireless and wired connections, and the event went off without a hitch. We never could have done this before Meteor redesigned our network. With Meteor, you get a single partner for all your connectivity needs, from first site survey to ongoing support without the complexity of managing multiple providers or tools or the, you know, the provider handoff.

Leo Laporte [00:25:00]:
It's not our fault, it's their fault. Meteor's integrated networking stack is designed to take the burden off your IT team and give you deep control and visibility, reimagining what it means for businesses to get and stay online. Meteor is built for the bandwidth demands of today and Tomorrow. We're so glad Meter found us, and I hope you will find them. I was really thrilled to talk to them. I had— I didn't really know anything about them, and I was so impressed when I met them. We thank Meter so much for sponsoring Security Now. Go to meter.com/securitynow, book a demo today.

Leo Laporte [00:25:35]:
That's meter.com/securitynow to book a demo. Meter is the future of networking, and it's going to be a lifesaver for you. Meter.com/securitynow. Thank you, Meter. Welcome to the show. Okay, I'm ready for the picture of the week.

Steve Gibson [00:25:54]:
So our caption on this photo, this is dad saying to— because he's a dad— one of his kids, this is the last time I'm going to tell you to turn down the volume of what you call music.

Leo Laporte [00:26:10]:
Oh, Dad. Dad found a solution.

Steve Gibson [00:26:16]:
Yes, he did. And given the location of the little volume indicator dot on the volume control, which is like right at minimum, it looks like now, doesn't look like Junior gets to turn this up very high. OMG. And now you can see why one of our listeners said you should have used a security screw, you know, where you can only screw it in, but they— but the Phillips head is unable to get a grip when you're trying to go in the other direction.

Leo Laporte [00:26:47]:
It does look like somebody has tried to unscrew it, actually.

Steve Gibson [00:26:51]:
I, I think that the drill skittered.

Leo Laporte [00:26:53]:
Oh, maybe that's it. Yeah.

Steve Gibson [00:26:55]:
Yeah. So for those who are not looking at the video or don't have the show notes, I'm sorry. Uh, what we have is what we would call an old-school volume limiter. Um, the, the problem, of course, is that the kids have, uh, you know, stereo system, which they just are unable not to turn up so that it's bugging mom and dad, who can't think, uh, not only due to the nature of the music but its volume. So finally, at the end of his rope, dad has come up with a solution. He's drilled a hole in the side of the volume knob with a screw sticking out of it about an inch, and then another screw in the faceplate of this stereo such that the screw that rotates as you try to turn the volume up will hit the limiting screw, preventing it from going— looks like maybe more than maybe, you know, level 2 or 3. Yeah, not very much. So clearly, regardless of the backstory here, this is obviously And a, a someone's determined effort to prevent the volume control from being turned up very far.

Leo Laporte [00:28:15]:
This is, uh, points out this, this would be good in a nightclub where patrons tend to go over to the sound system and crank it, you know. Yeah. Or your neighbor snuck into your apartment.

Steve Gibson [00:28:27]:
Um, uh, as a frequent, uh, patron of restaurants, I've had the experience where I'm, I'm in early for dinner, and the crew of workers have been there. They turned the volume up and then leave it up, and they, you know, they just forget. And it's like, God, can you turn the volume down? I can't think.

Leo Laporte [00:28:48]:
Don't you know it's early bird time? You got to turn it down.

Steve Gibson [00:28:52]:
So a solution— kids— a solution has been found. I, of course, would have put a small resistor network in line with the speakers in order to take the energy out of the speaker line. And then Junior would think, God, what happened? Did I break Blow the amp.

Leo Laporte [00:29:07]:
It's not working.

Steve Gibson [00:29:09]:
Maybe I'm deaf. That's right. Okay, so I wanted to thank many listeners who were made curious by last week's Picture of the Week. And Leo, you heard from many people too. I did. Just to remind people, that was the street which was the stem of a T-intersection. So the street we were seeing, you know, was leading up to a T-intersection in the distance, and signage which would be encountered as the driver was driving toward that T-intersection indicated that neither turning left nor right would be legal. Thus, I gave the caption, but officer, to the picture.

Steve Gibson [00:29:48]:
Thanks to listener research, of which there was much, and some used AI, you know, asked AI to track this down, we now know that the photo, first of all, was not synthetic. That was my, you know, a common thought was, oh, come on, that was just Photoshopped. Uh, it was bizarre but authentic. And after the photo went viral a few years ago, it became a significant embarrassment to the local government, uh, who was responsible for its emplacement. The location was a town called Simcoe in Norfolk County, Canada. In a news report that one of our intrepid listeners found and shared explained that, quote, drivers, please note that signs were installed this week which restrict left and right-hand turns at the intersection of Crescent Boulevard and Queensway in Simcoe. The intent of the new signs was to make Crescent Boulevard a dead-end street. The signs have been removed.

Steve Gibson [00:30:54]:
So anyway, uh, in other words, the signage was technically correct, and you were— it was like up to you to come to this stop sign having seen the 'you can't turn left, can't turn right,' and what, do a U-turn as if it dead-ended at that point rather than allowed you to cross into the, the cross street.

Leo Laporte [00:31:15]:
So it's crazy.

Steve Gibson [00:31:16]:
Anyway, my favorite quip about last week's photo was provided to us by a listener, Joseph Rourke, who noted, despite the presence of the Tim Hortons in the background, we know this cannot be Canada, otherwise there'd be a line of cars sitting at the stop sign. So many thanks to our listeners among the more than 20,000 who receive the weekly mailing, uh, and whose imaginations were captured and took time to do the research and/or comment. Anyway, and also a big thanks to whoever it was who sent that to me in the first place. You know who you are, and I ask our listeners to keep them coming because they're fun to share. Okay, so the headline in the news last week was— this is the headline— AI-driven hacking campaign breaches 600+ Fortinet devices. Now I'm going to first share the news report, and I have a few things to say about it. Uh, the reporting says a Russian-speaking, financially motivated threat actor used commercial AI toolkits to hack more than 600 Fortinet firewalls. The campaign began at the start of the year, around January 11th, according to the AWS security team.

Steve Gibson [00:32:37]:
The attacker did not exploit zero days or older vulnerabilities. Instead, They targeted Fortigate devices that had their management ports— oh, Lord— exposed online, used weak passwords, and didn't have multi-factor authentication enabled. Okay, so just to interrupt here, Fortigate devices, publicly exposed management ports, weak passwords, and no other authentication required. So no flaws were used, just very poor configuration hygiene. Story continues. Once inside, the attacker employed a collection of scripts that AWS says were written by AI tools. While AWS did not name products, researchers from Cyber and Ramen and Ctrl+Alt+Int3i identified them as being Claude and Deepseek. Deepseek was used to create scripts to perform reconnaissance and extract configurations from the hacked devices, while Claude was used to generate scripts for vulnerability assessments and to run offensive tools against the networks.

Steve Gibson [00:33:49]:
Since this is the intersection of AI and infosec, writes this story, the report generated a tornado of feedback and opinions on social media. The general consensus was that the threat actor wasn't particularly sophisticated, which AWS also believes. AWS CISO CJ Moses said the attacker was more interested in scale than value. Every time they encountered errors caused by hardened or non-standard internal networks, the attacker just moved on to a softer target. Once they did move laterally from the Fortinet device, the attacker compromised the victim's Active Directory environment, extracted database credentials, and tried to gain access to backup infrastructure. This led everyone to believe the threat actor was a relatively low-skilled initial access broker, right, an IAB, that gain initial footholds on corporate environments and then sell their access to the hacked, to the hacked network on underground portals. Okay, so I think it's entirely expected that anyone who has any need for any sort of code or scripting for any purpose whatsoever will increasingly be using AI. That's just today's reality.

Steve Gibson [00:35:16]:
Good guys are doing it and bad guys are doing it. And there's no reason to expect AI to be able to discriminate between the two. A high-level language compiler doesn't know or care who's using it or to what purpose the code it's helping to produce will be put, right? That's not its job. So the fact that we have now chosen to give consciousness-emulating large language models the marketing label of artificial intelligence should not and does not automatically mean that these new tools somehow have responsibility for what they're being asked to produce. So, okay, but don't these tools make attackers more powerful? Yes, they do, and they also make the good guys more productive. That's why everyone, both good and evil, is now using them. In the current instance, there's nothing inherently wrong with a script that performs a vulnerability assessment, white hat Security researchers employ such tools to aid their beneficial research, much as bad guys may use the same tools to perform pre-attack vulnerability assessments. My point is that any social media hysteria arising from the fact that AI was involved is now ridiculous.

Steve Gibson [00:36:45]:
If you encounter it online, I would recommend meeting it with a shrug and clicking on the thumbs down button. This is just the way the future is going to look now. It may have surprised us a few years ago, but it should surprise us no longer. And AI should not receive any of the blame for the way its creators, we humans, choose to use it. It's a tool and nothing more. It has no social obligations or responsibilities. It's not accountable. We are.

Leo Laporte [00:37:20]:
I like that because that eliminates that whole issue of AI safety.

Steve Gibson [00:37:25]:
Yes. Yes. Which, as I said, we might as well give up because we're not going to get it. And again, you know, we call it artificial intelligence. It's not intelligent. It doesn't know anything. It's a very powerful new tool, but it's still a tool and it's not responsible for the way we use it.

Leo Laporte [00:37:44]:
As usual, it's the humans who are the problem.

Steve Gibson [00:37:49]:
Exactly. Okay, now I'm going to give everyone a quick self-test to see whether the point I hope I've just made has had the chance to sink in. Perform a self-assessment to see how you feel about this next piece of news. It reads, quote, a hacker has stolen more than 150 gigabytes of data from multiple Mexican government agencies. The attacker allegedly used Claude to assemble scripts to gain access to government networks. According to Bloomberg, the attacker breached and stole data from Mexico's tax authority, National Electoral Institute, and several state water utilities. The stolen data covers 195 million taxpayer and voter records government employee credentials, and civil registry files. Okay.

Steve Gibson [00:38:46]:
Should we care at all that AI was employed in these attacks?

Leo Laporte [00:38:52]:
No.

Steve Gibson [00:38:53]:
The fact that Claude was used in these attacks appears to be the highlight of Bloomberg's piece because they've got, they've got, you know, they're looking for clickbait, right? You know, it was certainly the headline which they attempted to make inflammatory. You know, eventually the world will get used to this and it will just be assumed. And I hope everybody listening to this podcast will be in the lead on that, because again, that's the, that's the technical reality here. Another technical reality is that Apple appears to be feeling the pressure to respond to the growing legislation-driven need for the providers of internet services and online apps to— and app apps, you know, Apple Store apps— to know and to respond to the age of their users. Last Tuesday, Apple posted an update to their developer portal addressed to their app developers. So this was written when, when, when you see the word like your app, so, so that this is written to app developers. They said, today we're providing an update on the tools available to developers to meet their age assurance obligations under upcoming US and regional laws, including in Brazil, Australia, Singapore, Utah, and Louisiana. Updates to the declared age range API are now available in beta for testing.

Steve Gibson [00:40:28]:
For Brazil, developers who are distributing apps in Brazil can use the updated declared age range API to obtain a user's age category. Age categories for users in Brazil will be shared when the user or a parent or guardian, where relevant, agrees to share the age category with you. The API will also return a signal from the user's device about the method of age assurance. For developers distributing their apps in Brazil, if you identify that your app contains loot boxes through the age rating questionnaire, the age rating of your app on the Brazil storefront will be updated to 18+. For apps rated 18+ in Australia, Singapore, and Brazil. And if this is all seeming like a big mess, you're getting that, you're getting the clue here. Yes, they say starting February 24th, which is, which was last Tuesday, the date of this announcement, in other words, you know why this was posted, Apple will block users in Australia, Brazil, and Singapore from downloading apps rated 18+ unless they have been confirmed to be adults through reasonable methods. And boy, I hate that kind of language.

Steve Gibson [00:41:51]:
Like, okay, you know, it's like any legislation that is written that isn't airtight, that, you know, is subject to interpretation. And it's like, oh, let's let the attorneys sort this out. Oh God, through reasonable methods, whatever that is. They say the App Store will perform this confirmation automatically. Oh, that's good. However, developers may have separate obligations to independently confirm that their users are adults. To assist with this, the Declared Age Range API, available on iOS, iPadOS, and macOS, provides developers with a helpful signal about a user's age. It's okay, so they're being helpful, uh, for apps rated 18+ Australia, Singapore, Brazil.

Steve Gibson [00:42:39]:
However, for Utah and Louisiana— oh, but not yet. Wait for it. For users with new Apple accounts in Utah as of May 6th. Okay. So, okay. Wait. Fresh accounts? How new do they have to be? Are they accounts created after May 6th? We don't know. For users with new Apple accounts in Utah as of May 6th, 2026, so a couple months from now, and in Louisiana as of July 1st, 2026.

Steve Gibson [00:43:14]:
What a mess. Age categories will be shared with the developer's app when requested through the declared age range API. The tools we previously announced have been expanded to help developers meet compliance obligations for Louisiana and Utah, including declared age range API, significant change API under Permission Kit. That's that thing where if your app undergoes a significant change, you need to declare that because then that makes it potentially subject to all kinds of reevaluation. Then there's the new age rating property type in StoreKit. And App Store server notifications. They said new signals are now available through the Declared Age Range API, including whether age-related regulatory requirements apply to the user. What a mess.

Steve Gibson [00:44:14]:
And if the user is required to share their age range, the API will also let you know if you need to get a parent or guardian's permission for significant app updates for a child. Developers can use the declared age range API to present significant update notifications to adults in these states through the significant update action. Now in beta. When releasing a significant update, developers must follow the human interface guidelines and provide users with a meaningful description of the update. Leo, you know, on one hand, I would be— I'm a little tempted to feel some empathy and a little sorrow for Apple. The same time, I would say, guys, you brought this on yourself by refusing to do this 5 years ago, right? They could have so easily put a far simpler system in place. That would, that would have satisfied people, that would have solved this problem and prevented all of this ridiculous fragmentation. I mean, it— you're going to need a whole new building at Apple in order to like figure out what to do for who on what day, depending upon whether they're, you know— oh Lord, what a mess.

Leo Laporte [00:45:43]:
Yeah, this is what Meta wanted, by the way. They didn't want to do it, so they said make Apple do this.

Steve Gibson [00:45:48]:
Place.

Leo Laporte [00:45:48]:
By the way, there is in California a law that goes in effect, you know about this, on January 1st of '27, that will require operating systems, all operating systems, to do this. And the Linux community is a little worried about it because nobody— it's the, the real issue is it's unenforceable. California can't make Linux do this. They can make Apple do it. They can make Google do it because they're gatekeepers. They can go after the companies.

Steve Gibson [00:46:17]:
And this is part of the larger plot, right? Like the 3D printer restriction is also unenforceable. It doesn't work. You can write a law. It doesn't mean you can get what you want. Yeah. Yeah. But Leo, we're going to let our listeners get what they want. What do they want?

Leo Laporte [00:46:35]:
Do they want another commercial? I want some—

Steve Gibson [00:46:38]:
I want some coffee.

Leo Laporte [00:46:39]:
So whatever Steve wants. Best guess. We'll be back with more Security Now. I know you really want that. I should tell you though, if you're in IT, if you're responsible for the security of your company, our advertisers here at Security Now are always something you should be interested in. We have people, I think companies have realized if you want to reach these IT decision makers, you come to Steve. I am so impressed by who our listeners are, Leo.

Steve Gibson [00:47:07]:
When I hear from them, it's just like, I mean, I'm embarrassed that they're listening to me.

Leo Laporte [00:47:14]:
I know.

Steve Gibson [00:47:14]:
They're so— Me?

Leo Laporte [00:47:14]:
I know. Oh, I know. I have the same reaction constantly. Oh, you listen? Aha. Oh, it makes me a little nervous. We're going to meet a lot of our listeners in Florida, by the way. I'm very excited. Steve and I are headed to Zero Trust World.

Leo Laporte [00:47:26]:
We'll tell you more about that in a little bit. And Steve's giving a presentation on Wednesday. And usually when we do these things, Steve, we've done them a couple of times before. There's a long line out the door to get a selfie with Steve Gibson. So we're gonna have to—

Steve Gibson [00:47:41]:
they wanted Leo too. No, no, no, they wanted you.

Leo Laporte [00:47:44]:
Uh, I usually jumped in just so they had me in case they, they went home and said, oh, where's Leo? Oh well.

Steve Gibson [00:47:52]:
Well, for what it's worth, I'm happy to, you know, smile into your phone.

Leo Laporte [00:47:56]:
All of you will be fun listeners, and we'll line up a photographer. If it doesn't break your camera, that's good.

Steve Gibson [00:48:02]:
Uh, this episode is to get—

Leo Laporte [00:48:05]:
I'll go ahead, get some coffee, Steve. This episode of Security Now is brought to you by GuardSquare. This is a relatively new advertiser, but boy, if you listen to the show, you're going to realize you need GuardSquare. If you're doing mobile app development, you need GuardSquare. Mobile apps today have become an inescapable part of life. That's part of the problem. Financial services, healthcare, Retail and entertainment users trust mobile apps with their most sensitive personal data, but a recent survey showed 72% of organizations experienced a mobile application security incident last year. 92% of respondents reported rising threat levels over the last 2 years.

Leo Laporte [00:48:50]:
That's obvious. Meanwhile, attackers who are, you know, desperately want your users' personal data are constantly finding new ways to attack your mobile app. You don't want to be responsible for this. They reverse engineer it, they repackage it, they distribute a modified app via phishing campaigns, sideloading third-party app stores. Your end users don't know the difference as suddenly they've got your app plus some— a little bit of malware thrown in. But you can stop it by taking a proactive approach to mobile app security. You can stay one step ahead of these attacks and maintain the trust of your users. And that's, that's really what's most important.

Leo Laporte [00:49:31]:
That's where GuardSquare comes in. And GuardSquare delivers mobile app security without compromising, providing advanced protections for both Android and iOS apps. And it's more than just built into the app. It's also combined with automated mobile application security testing to find vulnerabilities, real-time threat monitoring to gain insight into attacks. So if somebody's doing something to your app, you know. Discover more about how GuardSquare provides industry-leading security for your mobile apps at guardsquare.com. That's guardsquare.com. You owe it to yourself, you owe it to your users.

Leo Laporte [00:50:10]:
Check it out, guardsquare.com. We thank them so much for supporting security now. Steve, now fully caffeinated, will continue.

Steve Gibson [00:50:19]:
As if I need more caffeine. And speaking of online web-based services, there has apparently been some concern— I, I would say justified, you know, if you want to follow the rules— um, over the intersection of child privacy enforcement and the apparent explicit need to violate that very privacy for the sake of complying with legislated age determination. Last Wednesday, on the heels of Apple's begrudging update to their age-related APIs and their download, you know, their app download enforcement, the U.S. Federal Trade Commission, our FTC, issued a formal policy statement with the headline FTC issues COPPA policy statement to incentivize the use of age verification technologies to protect children online. They wrote, the Federal Trade Commission issued a policy statement today announcing that the commission will not bring an enforcement action. I don't know if I would call that incentivizing, it's like de-threatenizing., will not bring an enforcement action under the Child's Online Privacy Protection Rule, COPPA, C-O-P-P-A, against website and online service operators that collect, use, and disclose personal information for the sole purpose of determining a user's age via age verification technologies. The COPPA rule requires operators of commercial websites or online services directed to children under 13, and operators with actual knowledge that they are collecting personal information from a child to provide notice of their information practices to parents and to obtain verifiable parental consent before collecting, using, or disclosing personal information collected from a child under 13. And what a pain in the butt it is to actually do that, right? So we see the problem here, right? The emerging age restriction regulations are placing the burden upon online services to, you know, to whatever they must do to determine their visitors' ages.

Steve Gibson [00:52:45]:
But doing this could force the site to run afoul of other regulations, specifically COPPA. Which are already in place to protect the privacy of their underage visitors and users. In this instance, it's necessary to carve out an explicit privacy exception so that online services will be able to collect the data that they must without fear of tripping over COPPA's restrictions. So the FTC explains, age verification technologies play a critical role in helping parents as they monitor their child's online activities. Since COPPA was enacted in 1998, so it's been around for a while, there's been an explosion in the use of internet-connected technologies by children. To help parents navigate the challenges associated with their child's online activities, some states have started requiring some websites and online services to use age verification mechanisms to help determine the age of users.. But as noted at the FTC's recent workshop on age verification technologies, some age verification technologies may require the collection of personal information from children, prompting questions about whether such activities could violate the COPPA rule. Christopher Mufarrij, director of the FTC's Bureau of Consumer Protection, said, quote, age verification technologies are some of the most child protective technologies to emerge in decades.

Steve Gibson [00:54:21]:
Our statement incentivizes operators to use these innovative tools. Again, I would say, you know, doesn't, you know, suspends disincentivizing them because that's the threat of being of action under COPPA that is causing them to say, wait a minute, which empowers parents to protect their children online, unquote. The policy statement states that the commission will not bring— this is the, the statement from the FTC— will not bring an enforcement action under COPPA rule against operators of general audience sites and services and mixed audience sites and services that collect, use, or disclose personal information for the sole purpose of determining a user's age without first obtaining verifiable parental consent if they comply with certain conditions, specifically that they— and we've got 6 bullet points— do not use or disclose information collected for age verification purposes for any purpose except to determine a user's age. 2, do not retain this information longer than necessary to fulfill the age verification purposes. And delete such information promptly thereafter. 3, disclose information collected for age verification purposes only to those third parties the operator has taken reasonable steps— and here again, I hate that kind of language, but okay— to determine are capable of maintaining the confidentiality, security, and integrity of the information, including by obtaining certain written written assurances from those third parties. Okay, so at least transferring responsibility, hopefully legally enforceable. Fourth, provide clear notice to parents and children of the information collected for age verification purposes.

Steve Gibson [00:56:23]:
Fifth, employ reasonable security safeguards for information collected for age verification purposes. And finally, sixth, take reasonable steps to determine that any product, service, method, or third party utilized for age verification purposes is likely to provide reasonably accurate results as to the user's age. Again, does that mean, you know, facial recognition, which we know is really prone to error? Whatever. Finally, they say the policy statement indicates that the commission intends to initiate a review of the COPPA rule to address age verification mechanisms. The policy statement will remain effective until the commission publishes final rule amendments on this issue in the Federal Register or until otherwise withdrawn. Okay, so this, this policy statement is intended essentially to provide interim cover for online sites and services that do need to enforce privacy-breaching age-restriction measures today, which would otherwise expose the site to COPPA infringement. This suggests that COPPA itself, as they said here toward the end of this FTC announcement, COPPA itself will require amending to provide a permanent and clear path for privacy-respecting age verification for minors. So again, well, one piece of legislation colliding with another.

Steve Gibson [00:58:02]:
Surprise. The Guardian reports that Meta's CSAM detection AI is flooding law enforcement with low-quality, unactionable, which is, as we'll see here, it's like, it's really sad. False positive reports of online child sexual abuse that are seriously hampering law enforcement's ability to function. Under The Guardian's headline, Meta's AI sending junk tips to DOJ, U.S. child abuse investigators say— here's what The Guardian reported. They said officers from the U.S. Internet Crimes Against Children, ICAC task force, said that Meta's use of artificial intelligence to moderate its social media platforms is generating large volumes of useless reports about cases of child sexual abuse, which are draining resources and hindering investigations. Benjamin Zweibel, a special agent with the ICAC task force in New Mexico, said last week during his testimony in the state's trial against Meta.

Steve Gibson [00:59:20]:
So this is New Mexico versus Meta. He said, quote, we get a lot of tips from Meta that are just junk. The state's attorney general alleges the company's platforms are putting profits over child safety. Okay, now at first I have to say, I'll take a break here from this to say I was puzzled by that. But what I believe New Mexico's attorney general is saying is that rather than employing humans who would be able to use, you know, usefully discriminate between what is and is not actual child exploitation and abuse. Meta is endeavoring, they allege, to save money by using AI, which is not actually doing the job. So Meta is failing in their obligation, but they're failing in a way that's causing lots of trouble. The report continues saying Meta disputes these allegations, citing changes it has introduced on its platforms, such as teen accounts with default protections.

Steve Gibson [01:00:23]:
The ICAC task force is a nationwide network of law enforcement agencies coordinated with the U.S. Department of Justice to investigate and prosecute online child exploitation and abuse cases. Another ICAC officer speaking on the condition of anonymity to discuss internal matters said, quote, Meta is providing thousands of tips each month. It's pretty overwhelming because we're getting so many reports, but the quality of the reports is really lacking in terms of our ability to take serious action, unquote. The ICAC officer added that the total number of cyber tips their department had received doubled from 2024 to 2025. Both Zwiebel and two ICAC officers said that unviable tips from Instagram, Facebook, and WhatsApp often contain information that's not criminal. The anonymous officers added that in other cases, tips sometimes contain information indicating that a crime may have occurred, yet vital images, videos, or text are missing or redacted. The ICAC officer added, unviable tips from Instagram have really skyrocketed recently, especially in the last couple of months, and that's one of the biggest places where we're seeing important information not being provided.

Steve Gibson [01:01:51]:
In those cases, he said, we don't have the information to further the investigation. It weighs on you. To know that this crime occurred, but we can't identify the perpetrator, unquote. So just to clarify that point, you know, these investigators are saying that what they see are clearly crimes which Meta's use of AI happened to have found. So not a false positive, it's true, but that the evidence that's needed to take any action about it is missing, which would not normally be the case if it were a human-driven investigation. So Meta's use of AI is not only flooding law enforcement with crap, but it's also serving to obscure the necessary details of actual crimes it detects. You know, if we didn't know better, we'd be inclined to think this had been deliberately designed by criminals for criminals. It wasn't.

Steve Gibson [01:02:51]:
I'm not suggesting that, but It's having that effect, right? The story says, asked about Zweibel's testimony and the ICAC officer's remarks, a Meta spokesperson said, quote, we've supported law enforcement to prosecute criminals for years. The DOJ has repeatedly praised our fast cooperation that has helped lead to arrests, and NCMEC has praised our streamlined and improved tip reporting process. In 2024, we received over 9,000 emergency requests from U.S. authorities and resolved them within an average of 67 minutes, and even more quickly for cases involving child safety and suicide. Consistent with applicable law, we've reported apparent child sexual exploitation imagery to NCMEC and support them to prioritize, to prioritize reports, from helping build their case management tool to labeling cyber tips so they know which are urgent. Okay, so I'll just note that while this sounds great, it doesn't appear to be responsive to the question of AI's use. That Meta spokesperson appears to be referring to the work of humans employed by Meta not their cost-saving AI. The Guardian's reporting then shifts gears to provide some background on NCMEC, which is the National Center for Missing and Exploited Children.

Steve Gibson [01:04:26]:
The Guardian writes, by law, social media companies based in the United States are required to report any detected child sexual abuse material, CSAM, on their platforms to the National Center for Missing and Exploited Children, NCMEC. It serves as a national clearinghouse for reports, which it forwards to the appropriate law enforcement agencies across the United States and internationally. NCMEC does not have the authority to filter out any tips that may be unviable before they're sent to the relevant law enforcement agencies. So 100% has to flow through. Meta is by far the largest reporter to NCMEC. In its data report for 2024, NCMEC said Meta made 13.8 million reports across Facebook, Instagram, and WhatsApp. Okay, so, you know, 13.8 million, right? Well, you have 12 months in a year. So simple math tells us that's over a million reports per month is coming from Facebook, Instagram, and WhatsApp.

Steve Gibson [01:05:42]:
And that 13.8 million is out of a total of 20.5 million tips that NCMEC received in total. So, you know, well over half. NCMEC said that in 2024, more than 1 million cyber tip line reports were linkable to a specific U.S. state, and those reports were made available to the ICAC task forces around the country, as well as other federal, state, local law enforcement agencies for investigation. Meta and other social media companies use AI to detect and report suspicious material on their sites and employ human moderators to review some of the flagged content before sending it to law enforcement. The Guardian has previously reported that tips generated by AI that have not also been reviewed by a social media company employee often cannot be opened by a law enforcement officer without a warrant because of Fourth Amendment protections. This extra step also shows investigations of slows investigations of potential crimes, lawyers involved in such cases have said. A Meta spokesperson said, it's unfortunate that court rulings have increased the burden on law enforcement by requiring search warrants to open identical copies of content we've already reviewed and reported.

Steve Gibson [01:07:16]:
Our image matching system finds copies of known child exploitation at scale that would be impossible to do manually, and we work to detect new child exploitation content through technology, reports from our community, and investigations by our specialist child safety teams. Under the REPORT Act, where REPORT is an acronym for, um, Revising Existing Procedures on Reporting Via Technology, so REPORT, which came into force in November 2024, Online service providers must broaden and strengthen their reporting obligations by notifying NCMEC's CyberTip line not only about child sexual abuse material but also about planned or imminent abuse, child sex trafficking, and related exploitation. They must also preserve evidence for a longer period and face higher penalties if they knowingly fail to comply. Excuse me. Since the act passed, the number of unviable tips supplied by Meta has increased dramatically, which should be— excuse me— which could be because the company is acting to ensure it is not falling foul of the law, two ICAC officers said. So in other words, Meta is, is complying because they're being forced to comply. The result, however, is a lot more noise among the signal. They said many of these tips could not be construed as a crime, such as adolescent girls talking about which celebrity they find most attractive.

Steve Gibson [01:09:03]:
Special Agent Benjamin Zweibel said in court, quote, based on my training and experience it appears that they are being submitted through the use of AI, as these are common mistakes that an AI would make that a human observer would not. Zweibel added that his department receives significantly fewer tips on legitimate cases of child sexual abuse material distribution from Meta than in previous years. So in other words, Not only has the noise gone up, but the signal, the quality, has gone down. Every tip that reaches an ICAC division must be reviewed, and the influx of unviable tips is taking time and resources away from investigating legitimate cases of child abuse, said two officers. One ICAC officer said, quote, it's killing morale. We're drowning in tips. And we want to get out there and do this work. We don't have the personnel to sustain that.

Steve Gibson [01:10:09]:
There's no way that we can keep up with the flood that's now coming in, unquote. So I want to chalk this up less to Meta being evil, which I don't think is the case, than to the growing pains of effective AI deployment. We're still very much learning how to best use the new and surprising capabilities of large language model networks. And I suspect that a strong case could be made for there truly being far too much content for humans to manually inspect. In other words, you know, and we've talked about this, right, with the legislation that the UK keeps circulating and trying to make happen. Where it's just like, you know, how are we going to do this? Apple has proposed doing on-device, uh, CSAM image comparison, and nobody wanted that. I mean, the, the, the actual volume of content is beyond human management. Um, so, you know, although the Spectre of having overlord AIs examining everything— excuse me— examining everything that's transacted over social media.

Steve Gibson [01:11:36]:
You know, it feels very Orwellian. Our legislators are requiring a level of oversight from social media companies that likely has no other workable solution. It's, you know, AI it will be. We just need to continue figuring out how to best use it. And again, all evidence is we're making headway and we're going to get a lot better than we are. We can clearly see how much better we are now in using AI for code than we were a couple of years ago. This is going to get better. And I think we're just going to, in the future, The legislators are going to force it to be the case that some machine intelligence is going to be watching dialogues, and we're just, you know, users are going to have to put up with that as a cost of the privilege of being able to communicate with encryption.

Steve Gibson [01:12:40]:
I just saw a short mention blurb that surprised me. The news was just that Russia's wonderfully named internet watchdog, Roskomnadzor, has now blocked Russian citizens' access to— you're not going to believe how many— 469, Leo, individual VPN services.

Leo Laporte [01:13:10]:
Of course.

Steve Gibson [01:13:11]:
Inside Russia.

Leo Laporte [01:13:12]:
All of them, in other words, they could find.

Steve Gibson [01:13:15]:
Yes, I mean, and which means, but none of the ones that have sprung up since then, right?

Leo Laporte [01:13:22]:
Right.

Steve Gibson [01:13:22]:
It seems to me that the fact that they, that there are 469 VPN services inside, you know, discrete individual VPN services inside Russia to be blocked in the first place, that's the real story here, you know, right? Talk about a citizenry that's desperate to escape the shackles of their own state's filtering and tampering and management. This is a citizenry that is desperate for contact with the outside world and a repressive government that's doing everything it can to prevent that. It's becoming increasingly clear why Russia has been experimenting with completely disconnecting from the global internet. They want the ability to just go internal, sovereign, and cut off all outside contact. In other Russian news, I saw a report that indicated that the Kremlin had decided to fully block Telegram starting in April of this year, right? Okay, next month. That's puzzled me since I thought that Telegram was already being fully blocked. We talked about that just recently. But this reporting stated that Telegram was currently only 55% blocked.

Steve Gibson [01:14:44]:
Okay, it's not clear to me what a 55% block might mean. Uh, the only thing I can figure is that perhaps access to Telegram is currently being limited to specific regions or sectors or industries, uh, and that additional regions are being added to the master block list so that by the end of this month of March, nothing will be left. No. Okay, whatever the case, Russia appears to be quite intent upon controlling its citizens' access to information. No, good luck.

Leo Laporte [01:15:23]:
It's inevitable if you want to do that. You got to get rid of VPNs. That's yes, the next step.

Steve Gibson [01:15:29]:
As we know, information wants to be free. Yeah.

Leo Laporte [01:15:31]:
It's pretty hard.

Steve Gibson [01:15:32]:
It's been said it's very difficult. I mean, you know, we got satellite now too. Yeah. Um, okay, this one. Oh, uh, about 14 months ago, in January '25, we reported that the UK was launching a plan to begin continuously and proactively scanning its own national public-facing network segments for the purpose of preemptively detecting vulnerabilities and alerting those owners of the IP addresses where vulnerabilities were found. Our listeners may also recall that I was jumping up and down over how much I thought this made sense and suggesting that this was something every nation should be doing to its own public-facing internet address ranges in its own self-interest. I think this is just a great idea. So we're talking about this again today, 14 months later, because last Tuesday— I'm sorry, last Thursday— the UK, out of a celebratory press release, uh, used the headline, government cuts cyber attack fix times by 84% and launches new profession to protect public services.

Steve Gibson [01:17:05]:
A new profession, huh? Okay. The press release led with 3 summary bullet points. They said critical cyber weaknesses across the public sector will now be fixed 6 times faster than before. Ministers are determined to go further with first-ever dedicated government cyber profession. That's in caps, capital C, capital P, cyber profession, to give the state the skilled staff it needs to protect UK's key services from cyber threats. And finally, the number of serious unresolved cybersecurity weaknesses across government cut by three-quarters as part of government-wide efforts to strengthen Britain's digital defenses. Wow, sounds great. Before I share what the press office of the UK said, allow me to preface this by noting that we're going to encounter something that makes no sense whatsoever to me.

Steve Gibson [01:18:08]:
But regardless, here's what they wrote. They first said public service Public services millions of people depend on, from the NHS to the legal aid agency, are becoming significantly safer and more resilient thanks to major improvements by the government to identify and fix cyber threats. Great. A specialist government monitoring service introduced as part of the Blueprint for Modern Digital Government published in January 2025, means serious security weaknesses in public sector websites are fixed 6 times faster, cutting the average time from nearly 2 months to just over 1 week. Okay, so far so good. But then this appears to go off the rails. The release next says the vulnerabilities in the Domain Name System, DNS, the internet's address book that turns website names into numbers computers use to find them. Weaknesses in DNS can allow attackers to redirect users to fraudulent sites, steal sensitive data, or take services offline entirely, with potentially serious consequences for anyone relying on government services.

Steve Gibson [01:19:34]:
Okay, uh, they said— the press release says, before this service was in place, a weakness in a government DNS record could go unnoticed for nearly 2 months, long enough for a hostile actor to redirect someone trying to access a government service to a fake site designed to steal their personal details, intercept sensitive communications, or disrupt services that people rely on. The vulnerability monitoring service has closed this window down to 8 days. It alerts the right people with clear, practical guidance on how to fix the problem and tracks progress until each issue is resolved. Okay, what the hell are they talking about? What is a weakness in a government DNS record? What? In this day and age, when I see something that sounds entirely plausible and reasonable to a layperson but which is actual nonsense The first thing I think is that some AI somewhere was having a bad day. The press release said before this service was in place, a weakness in a government DNS record could go unnoticed for nearly 2 months. Again, what? What is a weakness in a— It's like it makes no sense at all. There's no such thing. Okay, so let's just play along and see what else happens.

Steve Gibson [01:21:34]:
The release continues. Speaking at the annual government cybersecurity and digital resilience conference, Digital Government Minister Ian Murphy will outline how this will sharply reduce, right, the reduction in weak Government DNS records, apparently. What will sharply reduce something? Uh, oh, the risk of hackers targeting essential services like the NHS. Well, that's good. If you've got a weak DNS record, you don't want that. So by all means, reducing its effect somehow from almost 2 months of weakness down to just 8 days, that's a big improvement. No one would argue. He'll also outline how the government has reduced its backlog of these weak DNS vulnerability records, okay, by 75%, significantly shrinking the window for cybercriminals to target essential government services due to weak DNS records, okay, from GP surgeries and ambulance trusts to hospitals and social care providers.

Steve Gibson [01:22:42]:
Today's announcement marks a decisive step in closing the door on such threats, whatever they are, with the government going even further with the launch of the first-ever dedicated government cyber profession. Apparently, we're going to have a cyber profession, capital C, capital P, that focuses on the weakness I don't know, of what? DNA? What are they? DNS monitoring? What are they? I'm okay. So the press release says this program will recruit and train the top-tier cyber experts needed to keep public services safe. Oh, good. Minister for Digital Government Ian Murphy said, quote, cyber attacks aren't abstract ideas. Oh no, we know that. They delay NHS appointments, disrupt essential services, almost put Jaguar out of business— and that's, that, that's me, not him— and put people's most sensitive data at risk. When public services struggle, it's families, patients, and frontline workers that feel it.

Steve Gibson [01:23:55]:
The Vulnerability Monitoring Service has transformed how quickly we can spot and fix weaknesses before they're exploited so we can protect against that. We've cut cyber attack fix times by 84% and reduced the backlog of critical issues by three-quarters. And as the service expands to cover more types of cyber threats, what, beyond weak DNS records, whatever those are, Fixed times are falling there too. But technologies alone aren't enough. Today, he says, I'm launching a new government cyber profession, capital C, capital P, to attract and develop the talented people we need to stay ahead of increasingly sophisticated threats, making government a destination of choice. That's right, baby. Government is a destination of choice for cyber professionals worldwide. Who want to protect the services that matter most to people's lives.

Steve Gibson [01:25:00]:
Dr. Richard Horn, CEO of NCSC, said cybersecurity is more consequential than ever today with attack. It does sound like maybe some good AI wrote this part. Ever today.

Leo Laporte [01:25:14]:
Are there bullet points?

Steve Gibson [01:25:17]:
With attacks in the headlines showing the profound impacts they can have on people's everyday lives and livelihoods. As our public services continue to innovate, it's vital that they remain resilient to evolving threats and blah, blah, blah, blah, blah. So they finally said the VMS, this is this new system that's been online for 14 months, continuously scans 6,000 UK public sector bodies, detecting around 1,000 different types of cyber vulnerabilities. When a weakness is identified, the service alerts the relevant organization with specific actionable guidance and tracks progress until the issue is resolved. Okay, now that finally makes sense. That is what we would expect. They have a continuously running internet scanner that's scanning 6,000 UK public sector agencies and entities looking for 1,000 different types of cyber vulnerabilities at each of the IPs of the configured targets. Yay! Unfortunately, the presence of that Looney Tunes nonsense about weakness in government DNS records casts the entire announcement into question.

Steve Gibson [01:26:41]:
Just where does, you know, where does the AI brain fart that apparently occurred end in this announcement and reality begin. If that's in there, it's hard to know what else is just fuzzy. But we do now appear to be, you know, back on track. The release finishes up writing, by automating and detecting and streamlining remediation, the service has Bullet point: reduced median time to fix domain-related vulnerabilities from 50 days to 8 days, an 84% improvement. Okay, now we're back to crazy town there. What is a domain-related vulnerability and how can it have been reduced from taking 50 days to fix down to just 8 days. How could it take any days? You know, it, it really does seem as though an AI had a hand in the preparation of this release, which is too bad. The other 3 bullet points seem more reasonable.

Steve Gibson [01:27:52]:
They are reduced median time to fix other cyber vulnerabilities from 53 days down to 32. Okay, not great, but better. Cut the backlog of critical open domain-related vulnerabilities, whatever that is again, by 75%, processed and resolved around 400 confirmed vulnerabilities each month. So the article, the press release finishes saying the new government cyber profession is co-branded with the Department for Science, Innovation and Technology and the National Cybersecurity Center. It will introduce a competitive total employee offer, establish a dedicated cyber resourcing hub to streamline recruitment, and create a clear career framework aligned with UK Cybersecurity Council professional standards. It will also include a government cyber academy for training and deployment, a new apprenticeship scheme to build feature— to build future talent and structured career pathways to strengthen long-term capability across the public sector. The Northwest will serve as the primary hub for the profession, building on Manchester's growing digital ecosystem and the forthcoming government digital campus. So all that sounds great and reasonable too.

Steve Gibson [01:29:22]:
The UK has clearly implemented, although they seem unable to describe what it is they have, an extremely useful service. I, and I do seriously hope that other nations pick up on this idea and put it into practice. The idea of a country scanning its own internet infrastructure preemptively for known problems. I mean, this is what CISA should be doing. And then finding out who owns those IPs and letting them know they've got problems there, that's a win-win. I don't know what a soft government DNS record is. Wow. And I don't think anybody else does either because, you know, we would know what that was, right? We know, we understand this stuff and it's like, what? What are you talking about? Really, it's just a mystery.

Steve Gibson [01:30:22]:
Leo, let's take a break.

Leo Laporte [01:30:23]:
Okay.

Steve Gibson [01:30:24]:
For a sponsor who's not a mystery.

Leo Laporte [01:30:26]:
No mystery to you or me because we're about to head to Orlando for Zero Trust World ThreatLocker's big security conference. Steve's going to give a presentation Wednesday. Last event of the day. So it's right before the cocktail party. In fact, it might even overlap a little bit, but it'd be worth sticking around. And Steve and I will stick around afterwards to talk to you.

Steve Gibson [01:30:50]:
And you're going to be in costume, right?

Leo Laporte [01:30:52]:
Not for this. Oh, there is a Thursday. They're very famous for every year ThreatLocker has a costume party. And the— I think the theme this year is '60s space.

Steve Gibson [01:31:09]:
Oh, thank goodness. I thought I was going to be the only person not in costume on—

Leo Laporte [01:31:14]:
not for the cocktail—

Steve Gibson [01:31:14]:
for the Wednesday evening cocktail party. No costumes.

Leo Laporte [01:31:18]:
No costumes. Just be normal. Okay. Which is black, right? You're gonna wear black of some kind.

Steve Gibson [01:31:24]:
I'll be wearing black even though Orlando is hot and black absorbs heat, just like it does for the crows, Leo.

Leo Laporte [01:31:30]:
Oh yes, they absorb the energy focused upon them, whether by the sun or some other third party. Uh, actually, let's talk about ThreatLocker since we're, we're here, our sponsor for Security Now, for this segment of Security Now. Uh, I'm, I'm a big fan of ThreatLocker because they do zero trust right. ThreatLocker's zero trust platform takes a proactive— and this is the key, these are the three words you want to hear— deny, buy, default approach. That means every unauthorized action is blocked unless you specifically, explicitly say, yeah, that program can do that, or that user can do that. It can't. And, and it's as simple as that. That protects you from both known and unknown threats.

Leo Laporte [01:32:22]:
The problem, of course, is modern threats, modern attacks hide inside endpoints. Your employee brings the laptop home, gets malware on it, brings it back. Now it's inside the network. A lot of networks just assume, hey, if it's inside the network, it's an employee, it must be okay. We know better, don't we? Attacker-controlled virtual machines, sandboxed environments. Attackers are very smart these days. They hide inside, right? That VM-based malware will evade traditional antivirus software. So even if, you know, your employee brings in the laptop and your antivirus says, oh well, I see the, the bad guy here, you don't know what else is going on in there unless you're using ThreatLocker Zero Trust.

Leo Laporte [01:33:08]:
It prevents these VM-based attacks before they can launch because you've not explicitly permitted it. ThreatLocker's innovative ring fencing— that's what they call it— constrains tools and remote management utilities. That's another big threat, right? People are logging in through a VPN or something. Attackers cannot weaponize them for lateral movement or mass encryption that stops ransomware cold. ThreatLocker works in every industry. Max PCs provides 24/7 US-based support. The support is great. And with it, one of the real benefits of zero trust, you also get comprehensive visibility and control.

Leo Laporte [01:33:46]:
It's great for compliance. Ask Emirates Flight Catering. It's a global leader in the food industry, 13,000 employees. ThreatLocker gave full control of apps and endpoints, improved compliance, and delivered seamless security with strong IT support. All, all of the above. The CISO of Emirates Flight Catering said this, quote, the capabilities, the support— oh, and the best part of ThreatLocker is how easily it integrates with almost any solution. Other tools take time to integrate, but with ThreatLocker, it's seamless. That's one of the key reasons we use it.

Leo Laporte [01:34:21]:
It's incredibly helpful to me as a CISO, end quote. ThreatLocker really works. It's, it's affordable, it's effective, it, it works with what you're already using, and it's trusted by companies that just can't afford to be down for even one minute, like JetBlue, Heathrow Airport, uses ThreatLocker. The Indianapolis Colts, the Port of Vancouver. ThreatLocker consistently receives high honors and industry recognition. They're a G2 High Performer and Best Support for Enterprise Summer 2025 report. PeerSpot ranked ThreatLocker number one in application control. GetApp gave them the Best Functionality and Features Award in 2025.

Leo Laporte [01:35:02]:
Get unprecedented protection quickly, easily, and cost-effectively. With ThreatLocker. Visit threatlocker.com/twit to get a free 30-day trial and learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. That's threatlocker.com/twit. On we go with the show.

Steve Gibson [01:35:21]:
Okay, so I mentioned this at the top. As somebody I knew, Leo, you would remember, I, I was just scanning the news and I encountered a piece of news declaring that, um, Vastamo hacker disappears. And I thought, okay, I have no idea what that is. But then reading a bit into the story, it mentions that a Finnish hacker lost his appeal and will have to go back to prison after a court increased his original sentence. Okay, so again, like, okay, nothing stands out there. But we'll recall this event from 6 years ago. The report explains that this Finnish hacker was sentenced to 6 years and 3 months for hacking the Vastamo Psychotherapy Center in 2020 and then extorting its patients, which is what made that stand out. Both as I was reading this, and of course I remembered we talked about this at the time.

Steve Gibson [01:36:28]:
This creep obtained the Psychotherapy Center's very personal and highly confidential medical psychotherapy records.

Leo Laporte [01:36:39]:
That's just awful.

Steve Gibson [01:36:40]:
Including, of course, the contact information that would be needed for them to be contacted for the sake of extorting them, which he then did. He threatened them with public exposure of their mental illnesses unless they paid up. So beyond this, as I also recall, Leo, you and I were shocked when we saw the sheer number of patient records that, that Vestamo Psychotherapy Center had maintained online which were stolen. That was the other part of the scandal. We noted that not only were they at fault for not better protecting their data, but they should not, you know, they should not have had that much old patient data around. They should be held accountable for leaving the data of years and years of previous patients in hot storage online and readily accessible. You know, I understand they might have felt they needed to retain records for some possible future need, but those could be archived offline for retrieval on demand, not sitting on the same server with all of the current records, all of which this hacker sucked up.

Leo Laporte [01:37:56]:
So I agree, anyway, 100%.

Steve Gibson [01:37:57]:
Yeah, just a weird little aside. I mean, I'm like, I remember that guy. Yeah, we talked about him. Funny how we seem to catch all the important bits. I'm happy about that. So in their cyber intel brief, the cyber intelligence firm DataMiner, they left the E out, so it's D-A-T-A-M-I-N-R. DataMiner reports that the Scattered Lapsus Hunters, which we're now abbreviating SLH, although I don't know if anyone's going to remember what SLH is, so I'm going to keep saying Scattered Lapsus Hunters because it's fun, uh, that they've begun recruiting female individuals for their voice phishing campaigns. SLH is offering upfront payments, big ones, for social engineering calls targeting IT help desks.

Steve Gibson [01:38:51]:
DataMiners report offered 3 key takeaways. They said under tactical evolution, SLH is diversifying its social engineering pool by specifically recruiting women to conduct voice phishing attacks likely to increase the success rate of help desk impersonation. Under large incentives, they said the group is offering significant financial incentives between $500 and $1,000 upfront per call, which stuns me, and providing pre-written scripts to their recruits. And high-profile risk, they said SLH is a supergroup alliance of Lapsus$, Scattered Spider, and Shiny Hunters, known for compromising major global corporations and stealing over 1.5 billion records so far and counting. Um, the, the DataMiner posting then walks us through their discovery of SLH's online recruitment postings and ends with some useful advice to any potential enterprise targets. Under their heading, organizations should adopt a heightened defensive posture against social engineering, they enumerate 4 points. First, help desk training. Immediately brief IT help desk and support personnel on this specific recruitment trend.

Steve Gibson [01:40:24]:
Emphasize that attackers may be using pre-written scripts and polished voice impersonation., and that if it's the fact that it's a girl on the phone doesn't mean, you know, it's not your typical hacker attacker guy. So don't be fooled by that. Strict identity verification. Enforce out-of-bound, out-of-band, as they say, identity verification. You know, a video call or secondary internal verification of some sort. You know, it's like not Like when you receive email that says phone this number if you'd like more information, and pretending to be your bank, you need to, you know, go look up your bank's phone number yourself rather than using the number that came in the email, that kind of thing. So, uh, harden MFA policies. They said move away from SMS or push-based MFA, multi-factor authentication, which both of which are vulnerable to SLH's known TTPs like SIM swapping and fatigue bombing.

Steve Gibson [01:41:32]:
Implement FIDO2 compliant hardware security keys wherever possible. And finally, monitor anomalous access. Audit logs for new user creation or administrative privilege escalation immediately following all help desk interactions, meaning You know, check your logs after a help desk interaction to see whether there might be anything going on that the bad guys immediately launched into following that interaction. So the point being, you really do need to be proactive.

Leo Laporte [01:42:05]:
I remember, um, uh, a, uh, phishing attack some years ago where a woman called a customer service rep. Remember the Customer service is the first two words in their title. They want to help customers. So the way this phishing attack, this social engineering attack worked, the woman was frantic saying, "My husband left his phone at home and he's on a business trip and he's going to desperately need it. I need to reach him." And they played a baby crying in the background on a recorder. I mean, there was this whole scenario.

Steve Gibson [01:42:47]:
So you would really get sucked in and believe.

Leo Laporte [01:42:49]:
Yeah. And of course you can't do that with a guy. So yes, a woman's voice is going to in some cases really be more effective because I think you're right. People don't expect it, a woman to be social engineering them.

Steve Gibson [01:43:03]:
Yeah. So, so again, it just knocks your guard down a notch. Yeah. Yeah.

Leo Laporte [01:43:07]:
And of course it was a SIM jacking attempt. They just want— all they wanted to do is get the phone number transferred so they could get those SMS, uh, yep, you know, and text messages.

Steve Gibson [01:43:18]:
Good night.

Leo Laporte [01:43:19]:
Good night.

Steve Gibson [01:43:21]:
Yep. So last Wednesday, Cisco released the news of CVE-2026, uh, 20127, once again achieving that rarest of rare CVSS 10.0 scores.

Leo Laporte [01:43:40]:
Good old Cisco. You know what? They always come in strong.

Steve Gibson [01:43:46]:
Used to be, oh, Newman. Now it's, oh, Cisco. This was an actively exploited zero-day first discovered while it was being abused in the wild. The title Cisco gave their disclosure was Cisco Catalyst SD-WAN Controller authentication bypass vulnerability. Yep, you heard it right. Surprise, surprise, an authentication bypass vulnerability. Cisco wrote, a vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager formerly SD-WAN vManage, could allow, right, could, could allow an unauthenticated remote attacker to bypass authentication, that pesky authentication, and obtain administrative privileges on an affected system. They said this vulnerability exists because the peering authentication mechanism in an affected system is not working properly.

Steve Gibson [01:44:59]:
Huh, not working properly. Okay, no one would disagree with that, although calling it catastrophically defective might be more accurate. Okay, this one is so bad that both the U.S. NSA and CISA in, you know, here in the U.S., the Australian Signals Directorate's Australian Cyber Security Center, the Canadian Center for Cyber Security, New Zealand's National Cyber Security Center, and the UK's National Cybersecurity Center all published patch or perish announcements in a desperate attempt to bring the need to patch all systems to the attention of their owners. The SD in SD-WAN stands for software-defined, so it's a software-based networking platform that connects branch offices, uh, data centers, and cloud environments together through a centrally managed system. It uses a controller to securely route traffic— securely in quotes, of course, air quotes— uh, between sites over encrypted connections. This is another instance where any company that recognized that simple authentication can never be relied upon for security and had therefore taken the trouble to preemptively separately restrict, for example, incoming SD-WAN connections to only known endpoint peers, well, they'd have— they'd never have anything to worry about. They wouldn't have anything to fear from these authentication failures, and A would not have suffered a potentially devastating network compromise, and B, could therefore update their SD-WAN instances with something less than pants-on-fire emergency at their leisure.

Steve Gibson [01:47:05]:
Once again, Cisco's own announcement moderately underplayed the consequences. They wrote, an attacker could exploit this vulnerability by sending crafted requests to an affected system. Of course, all systems are affected. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access netconf you know, net configuration, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric. It was the Australian Signals Directorate, I'll note, who first discovered and reported these attacks being used in the wild. Not surprisingly, they paint a somewhat less rosy picture of the consequences, writing— this is Australia— Malicious cyber threat actors are targeting SD-WANs of organizations globally. These actors exploited a Cisco Catalyst SD-WAN controller authentication bypass vulnerability, CVE-2026-20127.

Steve Gibson [01:48:28]:
After exploitation of this vulnerability, the malicious actors add a rogue peer, and eventually gain root access to establish long-term persistence in SD-WANs. So sorry, Cisco, not just non-root user accounts.

Leo Laporte [01:48:50]:
I like that new term, rogue peer. I'm going to keep that around. Rogue peer.

Steve Gibson [01:48:56]:
Yeah, yeah. Again, uh, we It's one of our main themes here. You cannot rely upon authentication. And more importantly, you don't need to. You can apply additional factors of authentication, not allow somebody to get to a port. You know, you've got, you have a bunch of offices scattered around what, the world. They're in networks. You know what their IPs are.

Steve Gibson [01:49:29]:
They're even their IP blocks, probably the specific IP of your peer SD-WAN. Why not take the time to put a rule in the firewall so that you only accept incoming traffic from that IP to your SD-WAN?

Leo Laporte [01:49:47]:
Why not? Can you spoof an incoming IP?

Steve Gibson [01:49:50]:
No.

Leo Laporte [01:49:51]:
How interesting.

Steve Gibson [01:49:52]:
No, because it requires a connection.

Leo Laporte [01:49:53]:
It's a conversation. It's better.

Steve Gibson [01:49:56]:
Yeah, right. Yes. And so it was like all anybody has to do is not assume that— I mean, first of all, I was about to say not assume that Cisco is perfect. Who would do that?

Leo Laporte [01:50:06]:
Well, that's a good thing to not assume. Please.

Steve Gibson [01:50:11]:
Safe bet. So, you know, protect yourself. Put firewall rules in. So because you're talking to fixed endpoint IPs, only allow the conversations from them. Why would you ever want China or Russia or North Korea to connect to your SD LAN? You don't.

Leo Laporte [01:50:29]:
Right. I mean, I do that with my freaking Synology. It's not—

Steve Gibson [01:50:33]:
I mean, how hard could it be? Exactly.

Leo Laporte [01:50:37]:
Exactly.

Steve Gibson [01:50:37]:
I mean, you know, yes. Yeah. Okay. So VulnCheck's annual report on the in-the-wild use of known security CVEs, like, you know, CVEs about security breaches, is interesting. Um, all I have— I, I, I have the entire 41-page report. It will probably be next week's topic because it looked like in a quick glance through it there was just so many, so much juicy stuff there. But the teaser summary, which is all you get until you, you know, give them your name and email address so they can market to you for the rest of your life, uh, it was interesting too. They said in 2025, barely 1%— here, this is what was interesting— 1% of disclosed vulnerabilities were exploited in the wild, which might not be what we think.

Steve Gibson [01:51:36]:
It means that the distribution of exploits is not uniform. It is very peaky. Of course, it's the juicy exploits which were exploited, right? They said, but yet those that were exploited were operationalized quickly, attracted diverse threat actors, and often caused outsized damage before organizations had a chance to respond, just like this SD-WAN nightmare. They said this report identifies which vulnerabilities mattered, why attackers targeted them, and where timing failures left organizations exposed. Like I said, it's going to be fun to talk about this, to look at this analysis. They said Volncheck tracked exploitation patterns, threat actor behavior, and weaponization timelines across hundreds of thousands of vulnerabilities in 2025. The data revealed how quickly new vulnerabilities became bona fide threats, how AI proof-of-concept code is polluting risk assessment pipelines— interesting— and which threat actors ramped up vulnerability exploitation amid geopolitical tension. Then we have 3 bullet points.

Steve Gibson [01:52:53]:
VulnCheck identified 50 routinely targeted vulnerabilities from 2025 that had elevated risk profiles by the end of the year, drawing interest from ransomware threat actors, botnets, and researchers often all at once. Second, proof-of-concept exploits for new CVEs increased 16.5% in 2025, inundating organizations with risk signals that often turned out to be false or misleading AI-generated slop. Again, AI slop is a term which has taken hold. And finally, China Nexus threat actor attributions increased 52% year over year. While ransomware groups shifted towards zero-day exploitation at accelerating rates, with 56.4% of ransomware CVEs discovered through zero-day activity. So the landscape is changing. These guys have analyzed everything that happened in 2025, produced a 41-page report full of information. And I suspect that's how we're going to start next week.

Steve Gibson [01:54:09]:
Um, we're going to start our listener feedback, Leo, but I think we should take one more break because then we'll have one before our final, uh, coverage.

Leo Laporte [01:54:17]:
That sounds good to me. Uh, you're watching Security Now, special edition in a sense because we are doing this on a Sunday. Steve and I, as I mentioned, are going to Florida tomorrow and we'll be gone all week. I've got people covering the shows for me. We will put this show out in the normal Tuesday time slot, And if you're a Security Now fan, good news, because this week we'll have two Security Nows, a second show, which will be the presentation Steve's giving at Zero Trust World.

Steve Gibson [01:54:46]:
What's it called? The call is coming from inside the house.

Leo Laporte [01:54:52]:
I'll leave it to you to speculate as to what.

Steve Gibson [01:54:55]:
I'm just thinking you have people covering your shows and we've got people covering our squirrel's needs to continue being fed while we're gone. Yes.

Leo Laporte [01:55:03]:
I have Micah. You have a squirrel sitter. It makes sense.

Steve Gibson [01:55:07]:
We have house sitters that are going to keep the squirrels fed because Lori said, what about the squirrels?

Leo Laporte [01:55:11]:
It's like, okay. Anyway, we're glad if you're watching live, we're so glad that you figured that out. Twit will be coming up in about an hour and we'll get to that. But first, a word from our sponsor. Our show today brought to you by Adaptive. This is, I think, a new sponsor. Really cool product. It's the first security awareness platform specifically built to stop AI-powered social engineering.

Leo Laporte [01:55:38]:
We were just talking about this, right? The time is right. Here's the shift. Here's what's changed. And if you listen to the show, you just heard about it. Attackers really don't— they don't need malware anymore. They just need trust. A cloned voice, a convincing deepfake on Zoom. An AI-written phish that looks like it came from your IT team.

Leo Laporte [01:56:03]:
It's really very effective what people can do right now. Adaptive prepares your organization for this kind of attack with simulations across, of course, email, but also now SMS and very important voice. Deepfakes, vishing, you know, that's voice phishing, AI-generated phishing. Including scenarios that can mirror your own brand and executives. And when employees report something suspicious, Adaptive can help you triage it fast so security teams aren't buried by false alarms. If you need training fast, Adaptive's AI content creator, you can turn a threat and incident report or a compliance doc into interactive multilingual modules in minutes. No design team required. With Adaptive, you can build, Customize and monitor every part of your training with complete personalization.

Leo Laporte [01:56:56]:
You personalize it just like the bad guys are personalizing them. The result is a more resilient security culture, which is absolutely essential because guess what? The call's coming from inside the house. Companies like Plaid use Adaptive. Plaid's platform powers thousands of digital finance apps and links consumers, developers, and institutions you better believe they need help with Adaptive Security. With sensitive data as core, Plaid's security and compliance are absolutely non-negotiable. Uh, Plaid's head of security, GRC, says, quote, Adaptive has equipped our teams with cutting-edge tools and built a smarter, more resilient security culture across the company. Adaptive really works. Trusted by Fortune 500s And backed by NVIDIA and OpenAI, Adaptive is building the defenses we need for the AI era.

Leo Laporte [01:57:51]:
Learn more at adaptivesecurity.com. That's adaptivesecurity.com. It really works. Cool.

Steve Gibson [01:58:02]:
Um, a listener, David Benedict, he said, hi Steve, not to pull you back, but he's going to, into the whole code signing discussion again. Asked, it's a lot of interest, we've— a lot of our listeners have expressed a strong interest. He said, but what if we simply don't buy those code signing certs? What if we simply start self-signing code? Is there anything to stop us from self-signing and building our own reputation that way? Thanks, Dave Benedict. So okay, that's an interesting idea. The moves that the CA Browser Forum have been making on the code signing front feel entirely different from their earlier squeezing on the TLS certificate side. The reason Let's Encrypt was able to effectively replace and displace the traditional certificate authorities for the world's web server domain validation certificates is that Let's Encrypt is only providing what its name suggests. Encryption. Let's Encrypt.

Steve Gibson [01:59:10]:
It's making no assertion of any kind about the reputation of the domain name holder. And when you think about it, where strong assertions of identity are needed, um, and are being made about the owner of a certificate, you know, whether for a web domain, maybe a, the digital signer of a document that matters too, or the authorship of code. We do need entities such as certificate authorities standing by to do the necessary work of verifying identity and carefully issuing certificates which attest to what their research has found. Unfortunately, while we've been going about our lives, the certificate authority business has been quietly consolidating. This has sometimes been triggered, as we've covered on the podcast, when an irresponsible certificate authority so flagrantly abuses its position of trust that the various root programs are finally forced to revoke their trust. In those cases, the disgraced CA is forced to sell off its certificate authority business assets to another certificate authority. In other cases, it's just a bigger fish swallowing up a smaller fish, reducing the competition. While I was scouting around for a new code signing certificate authority, I noticed that many of the smaller-looking companies had exactly the same pricing as DigiCert.

Steve Gibson [02:00:48]:
It turned out that many of them have simply become fronts for DigiCert's products. They're just resellers. The upshot of many years of CA industry consolidation is that the world no longer has a— this is sad but true— the world no longer has a competitive certificate authority industry. We are watching the formation of a monopoly that has the gall to charge its customers per signature. We can see the writing on the wall. There are already plans like that happening. It's where we're headed. Dave began his note writing, hi Steve, not to pull you back into the whole code signing discussion again.

Steve Gibson [02:01:35]:
It's not your fault, Dave. This whole thing obviously rubs me the wrong way. One of my personality hot buttons happens to be bullying. I've never been okay with the abuse of power., which is what I believe anyone observing the actions of the CA industry would conclude is happening. I don't see any way out of this, but I will gladly share any solutions I find. To that end, during this research, I discovered that all of the various CAs, certificate authorities, who offer code signing certificates— remember that Now any code signing certificate must be in hardware. You do no longer get a software certificate. All of the code signing offering CAs provide the option of installing certificates into a customer-provided HSM, a hardware security module, rather than selling the certificate pre-installed in their own dongle token.

Steve Gibson [02:02:40]:
You know, typically they charge another $100 for that, but that's it. That's all it can do, and period. The reason I'm mentioning it is I found a gorgeous $72 form factor USB-A HSM dongle that I love. It's called the SmartCard-HSM space 4K. 4K because it can handle 4096-bit RSA keys, which is now what's necessary. Uh, it also does elliptic curve keys, which can be much smaller. I have a link to, uh, this device in the show notes, uh, to one particular retailer, uh, of this advice. Um, it's got its own website at smartcard-hsm.com, and most significantly, all of the card's multi-platform support is open source.

Steve Gibson [02:03:46]:
So this is a fully open source, $72 beautiful little hardware security module. Uh, I've got a link to its GitHub page in the show notes. One of the very cool features of this for me is that HSM and, you know, having a hardware security module enables secure and encrypted cross-HSM private key and certificate transfers. In other words, I have multiple machines where I want to be able to sign code. I've got two working locations. And GRC servers in the Level 3 data center. So I first had the first HSM securely generate a 4096-bit RSA key pair. The private key never leaves the device, which is what the certificate authorities require, but the public key is exported in a CSR, a certificate signing request.

Steve Gibson [02:04:51]:
I uploaded that CSR to IdentTrust to receive— for it to receive their signature. They promptly returned the resulting certificate, which I used, which is then used to verify any signatures that the HSM generates for my code, since it'll be doing the code signing. One of the many cool things about this solution is that each of these HSMs includes its permanent device, its own permanent device certificates that enable it to establish a secure key sharing key among others of its kind. This allows one HSM's private keys to be securely duplicated across many other devices. As many as you may wish, as well as being externally backed up for export without ever being able to expose its private key. So it is— it meets all the requirements first for security, yet gives us as HSM users and code signers way more flexibility. Each HSM also has a large amount of storage with room for hundreds of keys, and certificates and whatever you want to put in there. Uh, PGP, GPG, all of that stuff is supported.

Steve Gibson [02:06:17]:
All of the platforms are supported. So, and everything is open source on GitHub. So for example, if an enterprise might have a number of trusted developers work from home, satellite offices, or whatever, for the price of $72 each, as many developers can be given the ability to securely sign code as needed. Anyway, there's much more than what I've shared, so if you have an interest or need, check out smartcard-hsm.com. The retailer I used, Cardlogix, logix.com— I got a link in the show notes— uh, they're the retailer which I found. It happened to be near me in the US. The, um, the where to buy page at smartcard-hsm.com Also lists a German and a Taiwanese reseller.

Leo Laporte [02:07:08]:
So you're—

Steve Gibson [02:07:08]:
if you're over in Europe, you can find someone near you, or in Taiwan.

Leo Laporte [02:07:12]:
I have a Nitro— I have a bunch of Nitro Keys.

Steve Gibson [02:07:14]:
It works on that too, which I didn't realize. Yes, Nitro Key is also supported by all of this software. Yeah, since my original DigiCert EV code signing certificate does not expire until November 20th, as it happens, of this year. But I wanted to remember that I wanted to obtain a 3-year certificate before they were no longer available. My plan has been to see whether I can pre-establish a reputation for the new, now 3-year duration, IdenTrust certificate by having it co-sign GRC's freeware. That's now in place. GRC's most popular freeware, uh, like for example Validrive, which is now being downloaded 1,000 times a day, is now co-signed both with DigiCert's original certificate and the new IdenTrust certificate. So I'm hoping that once we get to November, I'll be able to drop the DigiCert certificates— I'm sorry, the DigiCert signatures because my stats— that DigiCert certificate, code signing certificate, will have expired.

Steve Gibson [02:08:28]:
And like, and that my newer IdenTrust certificate, which will by then have 10 months of exposure to Windows Defender and Smart whatever the hell, you know, it— Microsoft will have seen this and gotten used to it. And I'm hopeful that it will be able to stand alone and keep Windows, uh, you know, trigger-happy gatekeepers happy. Okay, so, and then finally, just to see whether I could, because I had so much fun playing with this new technology last week, as I mentioned, talking to DigiCert, I also reissued my existing DigiCert certificate into— in— instead of in, they provide me with a dongle, which they did the first time. 2 and a half years ago, I did it in this customer-provided HSM mode that allowed me to add DigiCert's certificate into my new HSMs alongside the newly minted IdenTrust certificate. It all worked perfectly. I have— now I have HSMs containing both the existing expiring in November DigiCert code signing certificate and the new IdenTrust code signing cert, which goes for 3 years. So, okay, believe it or not, I haven't forgotten about David. He started me off on all this by asking about the possibility of coders sidestepping all this nonsense by using self-signed certificates.

Steve Gibson [02:10:05]:
Now, the use of self-signed certificates has been common practice for web developers for many years. I have a self-signed certificate for localhost sitting in the trusted root stores of my various workstations. I run a web server on those machines which uses that certificate, and I use it for local web development. Having a self-signed certificate for localhost allows me to use HTTPS URLs starting with, you know, https://localhost/ and then whatever without the web browsers that I'm using pitching a fit, you know. So it's just very handy. Okay, so let's explore how this might be extended for code signing. If rather than having DigiCert or IdenTrust or whomever sign my code signing request, if I could instead use my private key to sign the certificate, creating a self-signed certificate which would then be installed into the system's trusted root store, how would that work? Well, from that point on, any code I signed would carry that root certificate's matching public key., and any check on the validity of my code's signature on this machine would show its signature to be valid. But the reason this is not a useful solution for a software publisher, unfortunately, such as GRC, is that these code signatures would only be valid on machines that had previously installed the— its matching root certificate.

Steve Gibson [02:12:05]:
What DigiCert, IdenTrust, and all the other CAs have going for them is that their root certificates are already pre-installed wherever any certificates they have signed might need to be trusted. Since Windows has now developed the practice of deleting on-site any executable that appears on its drive without a valid and trusted signature, especially one downloaded from the internet. And that's probably why people are able to compile their own code, is it came from them. Although I've compiled my own code too, and, and Windows has immediately stomped on it. Um, it would be necessary for GRC, if I was using a self-signed cert, it would be necessary for GRC to tell its customers that before attempting to download, let alone run, any of our software, they must first download and install GRC's own trusted root certificate. Well, since I would never install anyone else's root certificate into my machine's root store, I would never ask anyone else to do that. For us in order to download and run my code. The burden of making my code acceptable to someone else's machine should be on me, not on them.

Steve Gibson [02:13:31]:
So while signing one's own code for use on our own machines would work, just like using a self-signed web certificate for local use of a web browser and web server, I don't see any way to break our certificate authority's stranglehold on developers for code signing that needs to be universally trusted. And as I said before, I get the need for a certificate authority, you know, for just for encrypting web domains. We don't need them. That's why Let's Encrypt is a viable alternative. And that's why it works, because all we're saying is encrypt this traffic to wherever I'm going. And I'm not sure where I'm going. I'm going to this domain name. Certificate authorities, we need a third party.

Steve Gibson [02:14:19]:
Like a CA when we need to have the ability to digitally sign a document and have that signature mean something because we proved who we were to them, or to sign our code, or if, if we want an organization validation certificate for TLS web servers, not just a domain validation certificate. So I'm not saying that certificate authorities don't have a place and we don't need them. I've got a problem with that abuse. Um, now there is one place where self-signing could make sense, because everything I said about individual developers like me, um, that does not apply to enterprises, right? Enterprises might choose to use— they, they could buy a cert from DigiCert, they could use a publicly trusted code signing certificate for their internal use But within an enterprise, it might also work to sign code with a certificate that is only trusted within the enterprise's own enterprise machines. Remember that many enterprises already install their own TLS web root certificates on all internal workstations so that their networking middle boxes are able to intercept, decrypt, and scan everything that enters and exits their network. You can't get on the enterprise LAN and get out to the outside world unless you have one of, you know, their own TLS cert in your, in your enterprise workstation machine. So I could see that it would make sense to add a private code signing root certificate to all enterprise machines for use, you know, for their own internal use. On the other hand, if you're an enterprise, you may not care that much about what, you know, the various CAs have now chosen to charge for their— for the privilege of signing code, although it does appear to be escalating over time.

Steve Gibson [02:16:29]:
DGC wrote, hey Steve, long time listener, but I'm a few episodes behind right now. In episode 1062, you said, quote, we also see employees in positions of trust on internal enterprise networks being tricked into clicking malicious links and inviting malware inside the house. No form of fancy coding AI is going to fix any of those things. And he writes, that may not be entirely true. I recently came across a new solution Charlemagne, which runs on a desktop and monitors privately, locally, what the user is doing. It uses an SLM, a small language model, to detect potentially malicious actions like lookalike websites, malicious links the user might click on, etc., and then warns the user not to do those things. So an AI agent helping a user avoid accidental bad actions could be helpful, no? To which I say, could be helpful, yes. And I very much like the idea.

Steve Gibson [02:17:43]:
As we were saying, you know, the talk that Leo and I will be holding during the Zero Trust World event is titled The Call Is Coming from Inside the House. You know, that is obviously a metaphor for what I believe to be the biggest and most intractable problem facing today's enterprises. You know, stated as succinctly as possible, the problem is overprivileged users making mistakes. Though the term overprivileged is typically used in a derogatory context, I don't mean it that way at all. I'm using it in its strict computer science context where overprivileged is the result of not following a strict least privilege model. The beauty of describing the problem as overprivileged users who make mistakes is that it points us toward two solutions to the problem. Either we no longer overprivilege our users, or we somehow arrange to prevent them from making mistakes. Whereas it might be possible to constrain what the employees of an enterprise might be able to do on the enterprise's network, a large part of the joy of using a personal computer is that its use is personal, which is to say almost entirely unconstrained.

Steve Gibson [02:19:06]:
We can do anything we want with our own machines. Since operating within a least privileged environment is no fun and would not be tolerated by personal computer users, that suggests that the solution for personal computer users lies in somehow arranging to prevent their mistakes, something previously not thought possible. So to that end, I love the idea of some form of active client-side local AI agent that carefully scrutinizes everything the user is seeing and doing and interposes itself between the user's actions and the computer system. Leo, I and our listeners know how to examine a URL to detect trickery, but even the best of us are not always paying 100% attention. And even when we are, we might miss the use of, of embedded Unicode characters to create a lookalike URL. Or in our haste, we might click a link without first carefully checking all the way back to the right of its domain portion to make sure that its top-level domain is what we expect. So by all means, the idea of having an AI agent peeking over our shoulder and watching our back to help detect the things we might well miss. I think it makes all kinds of sense.

Steve Gibson [02:20:45]:
And needless to say, I hope that it would totally, you know, freak out if its user were getting ready to paste the contents of the clipboard, which was pasted from their web browser, into their Windows run dialog. So, you know, if Microsoft wants to deploy AI, Leo, I would so much, instead of having something recording everything I do, I would much rather have something watching, you know, running locally, not phoning home, but making sure I don't click a link in email that could get me in trouble. I am 100% bullish, and I'll bet you we're going to end up seeing that. Yeah, you know, you and I have complained for years that, that antivirus software has essentially become passé, obsolete. You know, I don't know anybody who would install it now except that they have, you know, a loyalty to packages that they were using in the past, and so that has endured. I don't run any. I just, you know, I'm careful about what I do and I assume that Windows is going to find something, and it never has except it's found my own code, which is really annoying because, you know, that's just what it does. So I have— I've had to isolate a whole tree in my directory system in order to say leave it alone.

Steve Gibson [02:22:08]:
And in fact, I discovered, uh, that in Windows 11 there's something coming called a dev drive because their own, their own AV has become so intrusive And such a problem that they've created. They said, okay, we're going to create a thing in Windows 11 called a dev drive where we're going to give you responsibility for what's there because they've had no choice. They're, they're driving anyone developing on Windows crazy by their— because I mean, in order to protect them, they have to delete anything on site, right?

Leo Laporte [02:22:48]:
I mean, it's, it's becoming universal. Apple's going in that direction. Google's going that direction. Everybody's doing that. That. That's, uh, code signing is the future, I think, unfortunately. Yeah. Um, I use, by the way, I use Claude now to do security audits on everything, and it's, it's very good at finding security flaws and fixing them.

Steve Gibson [02:23:07]:
It's— and we, we, uh, covered a couple instances of that last week where, where, uh, there was a guy who was running Claude, uh, he had his— he had a, a WordPress site and server and had a bunch of WordPress add-ons and had Claude checking them before he put them online. And in one case, it found many problems, and in one, it was a really bad problem that he was like, you know, really glad for. So we're going to see a lot of cleanup on aisle 9, I think.

Leo Laporte [02:23:40]:
Claude, clean up on aisle 9. Bring them up. All right, we're going to take a break and then we're going to go tong tuk, do a little Klingon in just a bit. You're watching Security Now, the early edition of Security Now. Don't get your hopes up.

Steve Gibson [02:23:57]:
This is—

Leo Laporte [02:23:57]:
we're not— we're going to go back to Tuesday after this week. But for those of you who have a free Sunday and can watch the show, it's great. I'm glad you're watching live. We do this stream on YouTube and Twitch and X and Facebook and LinkedIn and Kik. And of course, in our club, lots of people do like to watch live, but you can always download copies from a variety of places. I'll tell you where at the end of the show. Our show, this segment of the show brought to you by OutSystems, the number one AI development platform. This is for enterprises and it is so cool.

Leo Laporte [02:24:34]:
You see it happening, the agentic shift. I mean, it's all we've been talking about. Since, uh, since ClaudeBot, right? We're moving beyond simple chatbots. Yep. Well, you know what? OutSystems is right there with you leading the agentic conversation. OutSystems helps businesses build AI agents that can actually do work, take actions, make decisions, and integrate with data rather than just, you know, answer questions. OutSystems is solving the talent gap because there aren't— there just aren't enough AI engineers in the world. OutSystems empowers the developers you already have, the smart people you already have, to build at an elite level.

Leo Laporte [02:25:17]:
OutSystems is the secret weapon behind the world's most successful companies, and not just for, you know, small apps. They are for massive complex systems. They run banks, insurance companies, government services, OutSystems even helps companies with aging IT environments bridge the gap to the AI future without a rip-and-replace nightmare. And that is nice. They helped a top US bank, for example, deploy an app that lets customers open new accounts on any device, delivering 75% faster onboarding times. A global insurer— this is a— this was an in-house app. They helped a global insurer accelerate the development of a portal and app for its its insurance agents, giving them a 360-degree view of customers, enabling those agents to grow policy sales. And it really worked.

Leo Laporte [02:26:11]:
OutSystems combines the speed of AI with the guardrails that you're going to want of low-code. It's kind of a match made in heaven. It's the safest and fastest way for an enterprise to go from, uh, we need an AI strategy to We have a functioning AI application. Stop wondering how AI will change your business and start building the agents that will lead it. Visit OutSystems.com/TWIT to see how the world's most innovative enterprises are using AI-powered low-code to transform. That's OutSystems.com/TWIT to book a demo and see the future of software development. Very cool. OutSystems.com/twit.

Leo Laporte [02:26:57]:
Thank you, OutSystems, for supporting Security Now.

Steve Gibson [02:27:01]:
And now, Kong Tuk. So yes, uh, I wanted to finish today's podcast by sharing a newly arrived spin on the ClickFix attack, which we've discussed previously and which I, you know, has me really worried. Um, Remember, that's the attack where the familiar CAPTCHA prove you're human test is maliciously extended to ask its victim to please paste the contents of the Windows system clipboard into the Run dialog and just press Enter. Just trust us, prove you're human by doing that, uh, right? In the newer form of this, which its discoverers, Huntress Labs— that's the name I couldn't remember at the top of the show— Huntress Labs, they dubbed this CrashFix because the victim's web browser is made to appear hung, broken, or defective, thus crashed. Uh, and as for the Klingonesque Tong Kook— uh, wait, Kong Tuk— Kong Tuk, uh, it's the name Huntress Labs has given to this threat actor. As which they've been tracking for the past year. So Huntress wrote, on January 26th, Huntress senior security operations analyst Tanner Philip observed threat actors using a malicious browser extension to display a fake security warning claiming the browser had stopped abnormally and prompting users to run a scan to remediate the threats.

Leo Laporte [02:28:44]:
That looks very credible.

Steve Gibson [02:28:45]:
I would fall for that. Yes, that is, that, that is why this is so compelling. This could come up and you would think, oops, okay, yeah, it's exactly what a Microsoft, uh, pop-up looks like. Yeah, it says Microsoft Edge stopped abnormally. Then it says Microsoft Edge has detected potential security threats that may compromise your browsing data. Oh, that's not good. You would believe that. And then there's a run scan button, and you'd think, oh, scanning is good.

Steve Gibson [02:29:19]:
And then down below, there's a checkbox checked by default. Help make Microsoft Edge better by reporting current system information. And of course, you would think, oh, I, you know, got to prevent this from getting other people.

Leo Laporte [02:29:33]:
So I mean, again, is this all it takes?

Steve Gibson [02:29:34]:
If you hit that button, you're done? No, no, not, not yet. Okay, so that's the good news. But, but it does, it does get you involved, right? They said our analysis revealed this campaign is the work of Kong Took, a threat actor we've been tracking since the beginning of 2025. In this latest operation, We identified several new developments, a malicious browser extension called NextShield that impersonates, get this, Leo, the legitimate uBlock Origin Lite ad blocker, but impersonates it by stealing its source code. A new click fix variant we've dubbed CrashFix that intentionally crashes the browser then baits users into running malicious commands. I forgot to mention, it doesn't make it that clear here. They have script which does just bring the browser down. So that was a real crash.

Steve Gibson [02:30:39]:
It was a— yeah, well, no, it was— no, because it invokes their dialogue next.

Leo Laporte [02:30:47]:
But they do crash the browser. So your browser is dead. Your browser, their dialogue, and it's credible because your browser's dead.

Steve Gibson [02:30:57]:
Exactly. Yeah, exactly. So they said, ironically, the victim was searching— the, the victim in who got effect, who got infected by this, the victim, they wrote, was searching for an ad blocker when they encountered a malicious advertisement. The ad directed users to the official Chrome Web Store's NextShield Advanced Web Filter. Then they said the deliberate targeting of domain-joined machines, which is what, what, what this thing ends up doing, suggests Kong Took is, is after corporate environments where a foothold means access to Active Directory, internal systems, and lateral movement opportunities. Homes is terrifying. Yes, it is. And look at this next page where you see the next stage of this attack, which is what you get after you click the scan button.

Steve Gibson [02:31:56]:
Then you get the familiar open WinR— you know, press WinR, press Ctrl+V, press Enter.

Leo Laporte [02:32:04]:
Bing, bing, bing. So that's interesting. So they put on your clipboard the malicious code. Yes. Oh, so you don't even see that text. Nope.

Steve Gibson [02:32:13]:
All you do is follow the instructions.

Leo Laporte [02:32:15]:
Oh, and the— but oh, there, here it is again.

Steve Gibson [02:32:18]:
Edge fix browser hash. Yep. Yep. So they said home users on a standalone workstation receive a separate infection chain. So the infection chain— they have an enterprise infection chain and a home user infection chain.

Leo Laporte [02:32:32]:
They said they receive an infection chain.

Steve Gibson [02:32:35]:
Sophisticated as hell.

Leo Laporte [02:32:37]:
Yes.

Steve Gibson [02:32:38]:
Lord, it appears— oh, and, and they said that the home infection chain appears to still be in testing. They said when we got through all the layers, the, the C2, the command and control infrastructure, responded on a home environment with test payload, meaning it didn't do anything yet. They said whether this means non-domain targets are lower priority or the campaign is still being built out One thing is clear. Kong Took is evolving their operations and showing increased interest in enterprise networks. They said, so what are CrashFix and NextShield? The malicious NextShield app is all the more diabolical by being a fully functioning, working clone of the authentic open source uBlock Origin Lite browser extension, so its users will be pleased with the ad and annoyance blocking behavior of the extension they've just found and installed. But after using their browser for a while, the bogus Microsoft Edge stopped abnormally display will appear with its run scan button. Upon pressing that, the user will be presented with a fake security issues detected alert and instructed to manually fix the issue by opening the Windows Run dialog with Win R, pasting from their clipboard, Ctrl+V, and pressing Enter. The malicious extension silently copies a PowerShell command to the clipboard disguised as a legitimate repair command.

Steve Gibson [02:34:28]:
When the user follows these steps, they unknowingly execute the malicious command. They said, we were not about to blindly paste from the clipboard, so we tried copying the displayed command, which starts with edge.exe-fix-browser space, hyphen, hash, equals, blah, blah, blah. Like civilized malware analysts— that's what they're calling themselves, of course they are— they said the browser's response, a complete freeze. When your fix causes crashes, the name writes itself. Thus they named this crash fix. Before we go deep diving into how we ended up with a malicious pop-up message, Let's take a step back and look at how it got delivered. You've probably heard the recommendation to install an ad blocker to protect yourself from malvertising, malicious advertisements that deliver malware through legitimate ad networks. Our victim likely just wanted to get rid of annoying ads.

Steve Gibson [02:35:35]:
Instead, they downloaded a malicious one, NextShield, while searching for an ad blocker for Chrome.. This header falsely attributes the code to Raymond Hill, the legitimate developer, as we know, of uBlock Origin, and references a non-existent GitHub repository. This tactic exploits the trust users place in well-known open-source projects. The actual uBlock Origin Lite repository is located at it's, you know, github.com/uBlockOrigin/ubol-home, not the URL referenced in this malicious extension. The NextShield extension is almost entirely, they write, a clone of uBlock Origin Lite, legitimate extension by Raymond Hill. The threat actor likely ran a few find and replaces to replace every instance of uBlock with NextShield. Okay, so then Huntress continues with their analysis of this latest discovery of theirs, but for us, the takeaway is that the malware community at large has stumbled upon a fundamental security weakness of Microsoft Windows, which is its users comparatively script-following level of understanding of Windows when set against Windows' increasing power and sophistication. It's no longer useful to ask what can be done with PowerShell and.NET.

Steve Gibson [02:37:23]:
The question is, what cannot be done? That pairing, you know, PowerShell and.NET comes to mind because, you know, while I was assembling today's podcast, I encountered other exploits which did exactly that. And this one is also using a PowerShell command. It used native users' invocation of PowerShell with a command they did not understand. They are just following instructions. Now that we're encountering a proliferation of similar abuses of powerful commands escaping the browser with unwitting users blindly pasting and executing these commands that they did not write and do not understand, it should be clear that this story only has one ending. Sooner or later, Microsoft will need to step up to protect users from themselves, much as they did with the Mark of the Web, which flags files that were downloaded across a network. Files containing the Mark of the Web are treated much more cautiously and with skepticism by Windows. You know, you're asked, are you sure you want to run this? This was downloaded from the internet.

Steve Gibson [02:38:48]:
The system's clipboard needs to be handled similarly. Contents that were sourced by any web browser need to be quarantined. Like I said, there's only one possible ending to this trouble. This, this problem is not going to go away because users are not going to get better or smarter suddenly. Let's hope Microsoft does not wait too long. Before updating Windows with this change. I wish I believed they would act responsibly here. You know, we can hope.

Steve Gibson [02:39:21]:
And I'll just note that creating a third-party utility to fix this, because I kind of thought, well, maybe this, I should fix this, that won't help. No, since it's all of the people who would never know about such a utility, right, who need it the most, right? You know, we don't need it. We listeners of the podcast, the only fix for this is to come. It's got to come from Microsoft as an integral part of Windows.

Leo Laporte [02:39:44]:
Yeah, it's got to be built in. Yeah. Yeah. Or it's not going to, not going to happen. Give your, give your folks Chromebooks, kids.

Steve Gibson [02:39:54]:
And I just had a neighbor, as a matter of fact, and Lori and I encountered him while we were taking a walk yesterday. He was— he is an ex-engineer. He said, I just got a Chromebook. He says, I love it. And he said, I can't believe how everything imported into it.

Leo Laporte [02:40:10]:
I mean, he was just blown away by it.

Steve Gibson [02:40:13]:
It's all most people need, honestly. He is an Android user. And so when he explained that he connected his Android phone, I said, okay, well, that helps to explain its importation at least.

Leo Laporte [02:40:25]:
But Microsoft considered this with Windows S. They really— and they really— I wish they'd followed through. I think Apple, Microsoft, Microsoft should both offer Chrome OS-like very restricted environments, and then they can let those of us who know what we're doing use the less restricted environments.

Steve Gibson [02:40:39]:
Um, yeah, it would be a real— those is way too powerful for most people. They don't need all of this. They get lost in directory hierarchies and, and, and, you know, directory privileges, and, and, you know, basically you're you're running a machine you don't understand the operation of at all. And really, today, who among us does? We have a deeper understanding, but I don't— I remember when you went— I remember the day, Leo, when we actually knew what the files were on our own hard drive. We were editing our autoexec.bat and our config.sys. And you remember my very techie friend Bob, you know, he was like, He was complaining. He like, I still know what everything does.

Leo Laporte [02:41:25]:
And I said, well, Bob, good luck with that. Not for now. Yeah. Yeah. More— I mean, basically that's what mobile OSs are, are highly restricted operating systems. They're not truly general purpose operating systems. Anything that's general purpose is going to be able to do anything, including run.

Steve Gibson [02:41:44]:
I can't even use my iPhone anymore, Leo. No, it's got, you know, Oh, well, there's just so much in there. You hold this—

Leo Laporte [02:41:51]:
oh, you, you, you, you—

Steve Gibson [02:41:53]:
it is, it's too complicated. You like slide something, you go 3 times to the right and click your heels, and then you get a magic dialogue.

Leo Laporte [02:42:03]:
Too many hidden things. Yeah, I spend many, many hours of my life looking through the settings trying to find the setting that I want to change, and you know, it's just so hard.

Steve Gibson [02:42:14]:
And remember That was the breakthrough from Xerox PARC of the menu, right? The commands were discoverable. You could browse around and, and see everything. And in fact, that's the, the, the one, one of the big changes coming in the next version of the DNS benchmark that everybody will get for free, uh, is I put a traditional Windows menu on it instead of just overloading the system menu underneath the icon in the upper left. It's so much better. It's like, Gibson, come on.

Leo Laporte [02:42:45]:
Why did that take so long?

Steve Gibson [02:42:47]:
Nice.

Leo Laporte [02:42:47]:
Well, we'll look forward to that. That's a good reason to go to GRC.com. That's Steve's website. It is where you find the two programs he sells.

Steve Gibson [02:42:57]:
His—

Leo Laporte [02:42:57]:
and this is entirely how he makes his living— is with, of course, the wonderful Spinrite, the world's best mass storage maintenance, recovery, and performance-enhancing utility. And the new one, which is the DNS Benchmark. Benchmark pro. Uh, it's only $10, $9.99, but boy, it really can make a big difference in speed. I've noticed lately I gotta run it again because our, our DNS has become slow and it feels like the whole internet slowed down, but it's not, it's just the lookup. And fixing that can really speed up everything. So check those out at grc.com. While you're there, you can get a copy of the show.

Leo Laporte [02:43:33]:
Steve has a bunch of unique versions because he's an iconoclast. He's a— he goes his own way. He's got the 16-kilobit audio version, which doesn't sound great, but it's small, has the virtue of being small. He has the 64-kilobit audio version, which does sound great, is all you really need. He also has the show notes there, which he prepares. I mean, these are really complete. Highly recommend reading the show notes, around 20 pages, today it's 21, of— and that's all the stuff you hear on the show with the links. And everything in the, in the pictures.

Leo Laporte [02:44:06]:
Uh, highly recommend that. That's all at grc.com. He also has transcripts written by a human. Our transcripts are all AI-generated because we're lazy. Steve is not. He gets Elaine Ferris, who is a very talented transcriptionist, to write it all down, and you can get those transcriptions a day or so after the show at grc.com. You should also go to grc.com/email if you want to register your email address. Steve will whitelist it That way you can send him those great pictures of the week or ideas or questions.

Leo Laporte [02:44:37]:
GRC.com/email. And that's where you would sign up if you wish for the two newsletters he sends out, the weekly newsletter, which is the show notes, and then the very infrequent newsletter. Probably will send one out, I imagine, when you update the DNS Benchmark Pro. That's the product announcement newsletter. Both of those, GRC.com/email. We have copies of the show at our website. Twit.tv/sn. We have 128-kilobit audio.

Leo Laporte [02:45:04]:
For technical reasons having to do with Apple, we have to make it a little bit bigger. So if you want smaller, get it from Steve. We also have the video, which is unique. There is a website dedicated to that, twit.tv/sn, our website. There's also a YouTube channel with the video. That's a great way to share little clips. Do us a favor. Steve is now the number 2 most subscribed YouTube channel in the TWiT universe, and I know he'd like to be number 1.

Leo Laporte [02:45:37]:
So subscribe.

Steve Gibson [02:45:37]:
I was last week.

Leo Laporte [02:45:38]:
I was number 1. Well, TWiT's not the general TWiT channel's number 1. You're number 2. You beat the TWiT Show, though, which is pretty good. Yeah, that's what I was telling you. Yeah, the TWiT Channel itself is like the central channel that has 280,000 subscribers. So that's going to be a hard one to beat. But you're 76,000.

Leo Laporte [02:45:58]:
I don't know if everybody subscribes who's listening right now, you get right up there. There's also, of course, it's a podcast. So it's in every podcast directory, every podcast app should have Security Now and you can subscribe there and you get it automatically. And that's nice. We do the show live for your entertainment if you want the freshest version. Every Tuesday normally, not today, but every Tuesday normally at 11 AM Pacific, 2 PM Eastern. Now, the next time we do it, we will be in daylight saving time.

Steve Gibson [02:46:30]:
It'll be summertime. So, yes.

Leo Laporte [02:46:32]:
Woo-hoo! That happens next Sunday then. Yeah. A week from Sunday.

Steve Gibson [02:46:35]:
Yeah. A week from today.

Leo Laporte [02:46:37]:
Yes. Oh, today. Yeah. March 8th. Yes. Right. Today is Sunday. So, yeah.

Leo Laporte [02:46:41]:
So the next Tuesday we're going to be at 1800 UTC. We don't change, we change UTC, it doesn't, but the math is so crazy. It's not rational. It's irrational. So watch us live if you want. We stream, as I mentioned, on Twitch and YouTube and x.com, Facebook, LinkedIn, Kick, and of course, in our Club Twitter Discord. If you are not a member of Club Twitter, I do want to urge you to join because that is how we stay alive. It is not, it is not, it is not a luxury by any means.

Leo Laporte [02:47:15]:
It's a matter of life or death. The club supports everything we do, about a third of our operating expenses. And it's a way of saying, hey, I appreciate what you're doing. I want to support it. And we do like offering it for free, ad-supported for free, because we want everybody to get it. So nobody has to pay. But if you can afford to, it'd be nice to support that. That way you're supporting Steve, you're supporting our team.

Leo Laporte [02:47:39]:
And you're supporting it for the free version for people who can't afford to pay. You do get some benefits, access to the Club Twit Discord, which is always a hoot, if you will. A lot of fun in there. Some very fun people. You will also find yourself listening to special shows that we only put out in the club. But mostly you're going to get that great warm and fuzzy feeling. That, you know, you've made some people at Twit very happy and you're keeping these shows on the air. Steve, I did find the clip that Anthony Nielsen made.

Leo Laporte [02:48:13]:
He created this with a local AI, not even one of the big frontier models, but a Chinese model, Qwen, that does a very good text-to-speech. He says he only trained it with about 2 minutes of my voice and was able to make this little phishing recording. Hey, Burke, this is definitely not Leo asking you to buy gift cards, but seriously, can you grab me 100 Apple gift cards? Just kidding. This is Anthony testing text-to-speech. How's it sound?

Steve Gibson [02:48:41]:
Hey, Burke, is that— does that sound like me? Definitely you.

Leo Laporte [02:48:48]:
A little bit different, but— but if you weren't paying attention or you got that on the phone. Yep. Pretty amazing. Yeah. Uh, Burke says order more again. Fools him every time. Hey, thank you, Steve, for, uh, doing a very special edition of Security Now on a Sunday. I appreciate that.

Leo Laporte [02:49:09]:
Thank you. Thank your wife Lori too for letting us have you. Uh, no, no mimosas today. We, uh, we had to do a show, but you can go have some now. Uh, stay tuned if you're watching live 15 minutes away from, uh, This Week in Tech or our roundtable news show. We will be in Florida for the week. If you're going to Zero Trust World, catch us Wednesday, 5:00 PM at the end of the day for a very special Steve Gibson presentation. It's coming, the call's coming from inside the house.

Leo Laporte [02:49:39]:
I will be there as well. And we will stick around afterwards if you want to say hi, we'd love to see you. We'll also make a recording of that available on the Security Now feeds. So all you fans, you'll get 2 Security Nows this week. Steve, safe travels.

Steve Gibson [02:49:53]:
I'll see you in Orlando. Thank you, my friend. Will do. See you on— well, I guess we'll probably see each other Monday night or Tuesday morning.

Leo Laporte [02:50:00]:
So yeah, the burgundy's on me Tuesday night for dinner.

Steve Gibson [02:50:03]:
Okay, sounds great. We'll see you later. And everybody else, on back on Tuesday, uh, per our regular schedule.

Leo Laporte [02:50:11]:
Cool. Bye. Hi, I'm Leo Laporte, host of This Week in Tech and many other shows on the TWiT Podcast Network. Can you believe it? 2026 is around the corner. So this, my friends, is the best time to grow your brand with TWiT. Nobody understands the tech audience better than, than we do. We love our audience and we know how to effectively message to them. We develop genuine relationships with brands, creating authentic promotions that resonate with our highly engaged engaged community of tech enthusiasts.

Leo Laporte [02:50:44]:
You know, over 90% of TWiT's audience is involved in their company's tech and IT decision-making. Can you believe that? 90%! 88% have actually made a purchase based on a TWiT post-read ad. No one comes close. We're the best at this. As one TWiT fan said, I've bought from TWiT TV sponsors because I trust Leo and his team's knowledge the latest in tech. If Twit supports it, I know I can trust it. You cannot buy trust like that. Well, actually you can.

Leo Laporte [02:51:14]:
You can buy that on Twit. All our ads are unique. They're read live by our expert hosts, Micah Sargent, me. We simulcast all during the shows on our social platforms so everybody can be watching live. You know, one of our customers, Haroon Mir, the founder of Think Canary, he's been with us since 2016. Since 2016, he said, we expected Twit to work well for us because we were longtime listeners who over the years bought many of the products and services we learned about on various Twitch shows, and we were not disappointed. The combination of the very personal ad reads and the careful selection of products that Twit largely believes in gives the ads an authentic, trusted voice that works really well for our products. 10 out of 10, will use again.

Leo Laporte [02:52:03]:
Thank you, Haroon. We love you. And it's been 9 years. That's kind of— that's the proof, right? Partnerships with Twit offer valuable benefits, including over-delivery of impressions. You get presence on show episode pages. So there's a link right there that our audience can click on. We're in the RSS feed descriptions, a link there too, and social media promotion. Our full-service team will craft compelling creative to elevate your brand and support you throughout your entire campaign.

Leo Laporte [02:52:32]:
I work on the copy myself to make it authentic, to make it real. If you want to reach a passionate tech audience through a network that consistently over-delivers, please contact us directly. partner@twit.tv. That's the email address, partner@twit.tv. Let's talk about how we can help grow your brand, or just go to twit.tv/advertise for more information. I look forward to working with you. Thanks for listening. Security Now.