TechnicalNews

SN 1070: CISA's Free Internet Scanning - Malware Disguised as a VPN

Security Now (Audio)2h 46m

Steve Gibson discusses various cybersecurity topics including social media companies backing away from end-to-end encryption, malware disguised as VPN software, and his positive experience with CISA's free internet scanning service. He also addresses questions about AI-generated code and shares insights from security researchers about current threats.

Summary

This Security Now episode covers multiple cybersecurity developments. Gibson begins by discussing how both TikTok and Meta have announced plans to discontinue or not implement end-to-end encryption on their platforms, citing concerns about content moderation and child safety. He suggests this may signal a broader retreat from consumer encryption on major platforms. The episode covers proxy-related malware, particularly the takedown of SOX Escort, a residential proxy service that was actually a front for malware operations infecting routers and modems to create proxy botnets. Gibson warns about the growing threat of malware targeting consumer bandwidth for malicious purposes. A significant portion discusses VPN-related malware, where attackers use SEO poisoning to distribute fake VPN clients that harvest credentials while appearing legitimate. Microsoft's research shows these attacks use digitally signed malware hosted on trusted platforms like GitHub. Gibson addresses listener questions about AI-generated code, sharing contrasting perspectives from product manager Akash Gupta and veteran programmer Uncle Bob Martin. While acknowledging AI's potential, Gibson explains his personal reluctance to use AI for production code due to concerns about understanding and maintaining code he didn't write. The main feature discusses Gibson's successful experience with CISA's free internet scanning service, which he highly recommends to enterprise users. CISA found a minor vulnerability in GRC's SSL configuration involving deprecated cipher suites, demonstrating the service's value even for well-maintained networks.

About this episode

<p>Meta quietly ditches encryption for Instagram chats while TikTok also backpedals on privacy, shaking up assumptions about how much big tech really values your secrets. Meanwhile, Steve Gibson reveals why CISA's free government security scans are an absolute must for businesses—plus what he learned when GRC took the plunge.</p><ul> <li>The Security Now "Caption That Photo" contest.</li> <li>A mega social media company says "no" to strong encryption.</li> <li>WhatsApp to give parents more control,</li> <li>Consumer bandwidth proxying is becoming a big deal.</li> <li>Meta buys the Moltbook duo.</li> <li>The EU gives up and settles upon the status quo.</li> <li>When a ransomware negotiation is not what it seems.</li> <li>CISA compels federal agencies to submit their logs.</li> <li>Is that a VPN in your pocket or something more malicious.</li> <li>Be careful what you download, thinking it's AI.</li> <li>A super-clever and super-simple A/V scanner bypass.</li> <li>Will AI write code for me?</li> <li>Another listener discovers the Joy of AI.</li> <li>Steve's CISA Internet scanning experience</li></ul> <p>Show Notes - <a href="https://www.grc.com/sn/SN-1070-Notes.pdf">https://www.grc.com/sn/SN-1070-Notes.pdf</a></p> <p><strong>Hosts:</strong> <a href="https://twit.tv/people/steve-gibson">Steve Gibson</a> and <a href="https://twit.tv/people/leo-laporte">Leo Laporte</a></p> <p>Download or subscribe to <em>Security Now</em> at <a href="https://twit.tv/shows/security-now">https://twit.tv/shows/security-now</a>.</p> <p>You can submit a question to <em>Security Now</em> at the <a href="https://www.grc.com/feedback.htm" target="_blank">GRC Feedback Page</a>.</p> <p>For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: <a href="https://www.grc.com/securitynow.htm" target="_blank">grc.com</a>, also the home of the best disk maintenance and recovery utility ever written <a href="https://www.grc.com/sr/spinrite.htm" target="_blank">Spinrite 6</a>.</p> <p><strong>Join Club TWiT for Ad-Free Podcasts!</strong><br /> Support what you love and get ad-free audio <em>and</em> video feeds, a members-only Discord, and exclusive content. Join today: <a href="https://twit.tv/clubtwit" rel="payment">https://twit.tv/clubtwit</a></p> <p><strong>Sponsors:</strong><ul> <li><a href="http://outsystems.com/twit" rel="sponsored" target="_blank">outsystems.com/twit</a></li> <li><a href="http://joindeleteme.com/twit" rel="sponsored" target="_blank">joindeleteme.com/twit promo code TWIT</a></li> <li><a href="https://material.security" rel="sponsored" target="_blank">material.security</a></li> <li><a href="http://canary.tools/twit" rel="sponsored" target="_blank">canary.tools/twit - use code: TWIT</a></li> <li><a href="https://www.adaptivesecurity.com/?utm_source=podcast&amp;utm_medium=other&amp;utm_campaign=2026_NA_Podcast_security_now&amp;utm_id=701Rd00000d9YqPIAU" rel="sponsored" target="_blank">adaptivesecurity.com</a></li> <li><a href="http://meter.com/securitynow" rel="sponsored" target="_blank">meter.com/securitynow</a></li> </ul></p>

Key Insights

  • Gibson argues that Meta and TikTok's retreat from end-to-end encryption may signal a broader industry backing away from consumer encryption on major platforms
  • Gibson claims that most users don't actually demand encryption and won't leave platforms if it's removed, unlike privacy advocates
  • Gibson explains that SOX Escort operated as a malware front, infecting over 369,000 IP addresses through router vulnerabilities rather than user permission
  • Gibson warns that bad guys have substantial interest in using distributed consumer bandwidth to hide their attacks behind residential IP addresses
  • Gibson states that keeping routers secure requires avoiding any deliberately exposed WAN-side services, particularly remote web access to management interfaces
  • Gibson describes how attackers use SEO poisoning to make malicious VPN downloads appear first in Google search results for legitimate VPN software
  • Gibson notes that the fake VPN malware was digitally signed with valid certificates, representing a failure of the code signing system to prevent malicious software
  • Gibson argues that today's AI is 'stochastic' and cannot absolutely follow rules, making it unsuitable for production code where reliability is critical
  • Gibson explains his personal coding philosophy centers on writing code as correctly as possible rather than just 'good enough'
  • Gibson believes future AI coding will require specialized, application-specific AI rather than general-purpose models
  • Gibson reports that CISA's scanning service found a theoretical SSL vulnerability in GRC's servers related to deprecated 64-bit block ciphers
  • Gibson explains that the Suite 32 vulnerability would require 18.6 hours of continuous connection and 705 GB of data transfer to exploit
  • Gibson discovered that CISA scans networks continuously with frequency based on vulnerability severity, from every 12 hours for critical issues to every 90 days for dark hosts
  • Gibson argues there's no downside to CISA scanning since they only examine publicly accessible information that attackers can already see
  • Gibson recommends that any organization with multiple static IP addresses should use CISA's free scanning service as an additional security layer

Topics

End-to-end encryptionVPN malwareCISA internet scanningAI-generated codeProxy botnetsSSL vulnerabilities

Transcript

It's time for security now. Steve Gibson is here. Lots to talk about this week. We need a caption for our photo of the week. Maybe you can help a social media company. Another one says no to strong encryption. That's not a good sign. There is a problem with proxies serving malware, and it might even be coming from your router. We'll tell you how to find out. And then he's going to talk about his experience using Cease's Internet Scanner. All that coming up next on Security Now. This episode is brought to you by OutSystems, a leading AI development platform for the enterprise. Organizations all over the world are creating custom apps and AI agents on the…

Full transcript available for MurmurCast members

Sign Up to Access

More from Security Now (Audio)

Get AI summaries like this delivered to your inbox daily

Get AI summaries delivered to your inbox

MurmurCast summarizes your YouTube channels, podcasts, and newsletters into one daily email digest.