Security Is Hard

Podcast: Play in new window | Download (Duration: 56:36 — 37.4MB) | Embed

Subscribe: Google Podcasts | Spotify | Stitcher | TuneIn | RSS | More

It’s really easy to complain about the sadly insecure state of many of our products and services, but the fact is that doing security right is hard – even when you’re trying to get it right. Part of the problem is that there are just so many things to secure, even on a single product or service. Today we’re going to discuss several recent security issues with popular products, and why getting it right can be such a daunting task.

In today’s show: a universal decryption key for all REvil ransomware victims prior to July 13th is now available; Microsoft patched a nasty security bug in all of its Windows OS versions, but it’s still being actively exploited (hint: patch now!); it was recently argued that WhatsApp’s end-to-end encryption has a “backdoor”, but I’ll explain why that’s not true; a home security system maker refuses to patch a bug that would allow an attacker to disable your system just by knowing (or guessing) your email address; ProtonMail is forced to alter its “no IP logging” marketing in the face of a recent incident involving a French activist’s account; new Mac malware has emerged that uses poisoned search results to trick its victims; and for my tip of the week, I’ll tell you about a new fourth credit bureau where you should freeze your credit report.

Article Links

• Free REvil ransomware master decrypter released for past victims https://www.bleepingcomputer.com/news/security/free-revil-ransomware-master-decrypter-released-for-past-victims/ 
• Recently reported Microsoft zero-day gaining popularity with attackers, Kaspersky says https://www.msn.com/en-us/news/technology/recently-reported-microsoft-zero-day-gaining-popularity-with-attackers-kaspersky-says/ar-AAOyUvR 
• WhatsApp Fixes Its Biggest Encryption Loophole https://www.wired.com/story/whatsapp-end-to-end-encrypted-backups/ 
• No, Facebook Isn’t Reading Your Private WhatsApp Messages. The Problem Is Much Worse https://www.inc.com/jason-aten/no-facebook-isnt-reading-your-private-whatsapp-messages-problem-is-much-worse.html 
• Pwned! The home security system that can be hacked with your email address https://nakedsecurity.sophos.com/2021/09/02/pwned-the-home-security-system-that-can-be-hacked-with-your-email-address/  
• ProtonMail Amends Its Policy After Giving Up an Activist’s Data https://www.wired.com/story/protonmail-amends-policy-after-giving-up-activists-data/ 
• New Mac malware spreads via search results https://www.tomsguide.com/news/mac-malware-fake-iterm2
• Tip of the week: https://firewallsdontstopdragons.com/freeze-you-credit-at-innovis-too/ 

Further Info

• Become a Patron! https://www.patreon.com/FirewallsDontStopDragons 
• Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker
• Stay tuned for a new challenge coin promotion! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/
• Generate secure passphrases! https://d20key.com/#/