Security Now (Audio)

The podcast discusses the significant impact of AI on cybersecurity practices and Capture the Flag (CTF) competitions, noting a shift in the ability to solve challenges using AI tools. This transition raises concerns about the future of skill measurement in the cybersecurity field, as traditional CTF competitions are being undermined by AI's capabilities.

Security Now episode 1076 covers the discovery of FAST16.SYS, a sophisticated NSA-linked kernel rootkit from 2005 that subtly corrupted physics and engineering calculation software — predating Stuxnet by five years. The episode also covers a Bitwarden CLI supply chain attack, Iranian router malfunctions before the US/Israeli strikes, Meta's employee activity logging for AI training, and Steve Gibson's GRC e-commerce system rewrite.

Security Now episode 1075 discusses the growing threat of AI-powered vulnerability discovery, particularly Anthropic's Project Mythos, which Mozilla confirmed found 271 bugs in Firefox. The episode also covers a disgruntled researcher publishing Windows zero-days, Microsoft's record bug bounty payouts, and a formal industry-wide warning signed by top cybersecurity leaders urging immediate action.

Security expert Steve Gibson analyzes Anthropic's new Mythos AI model, which demonstrates superhuman capability in discovering software vulnerabilities. While Anthropic claims the model is too dangerous to release publicly, Gibson examines the evidence and concludes this represents a watershed moment for cybersecurity that exposes widespread flaws in existing software.

Steve Gibson analyzes the FCC's ban on all new foreign-made consumer routers, explaining why it's arbitrary and ineffective. The show also covers LinkedIn's 2.7MB JavaScript surveillance code that scans users' computers for over 6,000 browser extensions, and touches on Apple's new age verification requirements in the UK.

Steve Gibson and Leo Laporte discuss the LiteLLM PyPI exploit, a sophisticated supply chain attack that infected the popular AI proxy service with credential-stealing malware. The attack, executed by Team PCP, exploited a compromised security scanner (Trivy) to inject malware that would have affected 3.4 million daily downloads, but was caught due to a coding error that caused systems to crash.

Steve Gibson and guest host Micah Sargent discuss a critical security flaw in H&R Block's tax software that installs an untrustworthy root certificate with accessible private keys. They also cover 'bucket squatting' - a major vulnerability where attackers hijack abandoned Amazon S3 buckets to compromise software supply chains.

Steve Gibson discusses various cybersecurity topics including social media companies backing away from end-to-end encryption, malware disguised as VPN software, and his positive experience with CISA's free internet scanning service. He also addresses questions about AI-generated code and shares insights from security researchers about current threats.