Security Now 1017: Is YOUR System Vulnerable to RowHammer?
Hosted by Steve Gibson, March 19, 2025

Introduction

In the March 19, 2025 episode of Security Now, host Steve Gibson delves deep into the persistent and evolving security threat known as RowHammer. Joined by Leo Laporte, the episode explores a variety of pressing security issues, including vulnerabilities in Telegram’s cryptography, recent high-profile cyberattacks, and critical software flaws. The discussion is enriched with insights from listener feedback and expert recommendations, providing a comprehensive overview of the current state of cybersecurity.

RowHammer Vulnerability and Testing

Understanding RowHammer

RowHammer remains a significant concern in cybersecurity, characterized by its ability to cause bit flips in DRAM by repeatedly accessing memory rows. Steve Gibson explains, “The Rowhammer effect flips bits in inaccessible memory locations just by reading the contents of nearby memory locations” (02:23). This hardware vulnerability undermines the security guarantees of modern computing systems, allowing attackers to breach memory protection policies.

State of RowHammer Research

Despite advancements in DRAM technology aiming to mitigate RowHammer, vulnerabilities persist. Gibson notes, “DDR5 was supposed to fix it, but still hasn't,” highlighting the challenge of keeping pace with evolving memory technologies. He emphasizes the critical need for widespread testing to understand the real-world prevalence of RowHammer attacks.

Community Call to Action

A significant portion of the episode is dedicated to encouraging listeners to participate in an open-source study aimed at assessing RowHammer susceptibility across various systems. Gibson shares, “We invite everyone to participate in this unique opportunity at the 38th Chaos Communication Congress to join forces and close this research gap” (141:22). The initiative seeks extensive real-world data to better gauge the vulnerability landscape.

Analysis of Telegram’s Cryptography

Cryptographic Shortcomings

A major highlight of the discussion is the critical analysis of Telegram’s proprietary cryptography. Gibson recounts, “We always knew it was crap” (04:13), expressing long-standing skepticism about Telegram’s encryption methods. Recent research by a team of cryptographers from ETH Zurich, Tel Aviv University, and Amazon unveiled significant flaws in Telegram’s key exchange protocols. The study, presented at EuroCrypt 2025, labeled Telegram’s cryptographic design as a “brittle monolith” (06:51).

Implications for Users

The flawed cryptography undermines user security, making Telegram susceptible to various attacks. Gibson speculates, “Telegram is likely secure enough for everyone’s current use, but its design actively fights against that actually ever being proven” (16:05). This admission underscores the inherent risks for users relying on Telegram for secure communications.

Recent Security Incidents

Twitter’s DDoS Attack and Misattribution

The episode covers the recent high-profile DDoS attack on Twitter (now rebranded as X). Elon Musk inaccurately attributed the attack to Ukrainian IP addresses during an interview, stating, “...the attack came from Ukrainian IP addresses” (29:40). However, evidence pointed to the Dark Storm Team, a group offering DDoS-for-hire services, as the actual perpetrators. Gibson criticizes Musk’s misstatement, noting, “...it was not true, at least from a bandwidth standpoint” (29:40).

PHP Vulnerability Exposure

A critical vulnerability in PHP-based Windows servers was discussed, emphasizing the widespread risk due to default configurations in popular stacks like XAMPP. Gibson warned, “The default XAMPP stack is vulnerable” (06:37), urging server administrators to update PHP versions promptly. He detailed the severity of the flaw, stating, “this is really bad” (07:24), highlighting the ease with which attackers can exploit outdated PHP configurations to execute arbitrary code.

Firefox Root Certificate Expiration

Another significant issue addressed is Mozilla Firefox’s expired root certificate, which could disrupt add-ons and DRM-protected media playback for users not updating their browsers. Gibson reassures, “...anyone who hasn't updated their Firefox even once since then would have nothing to blame” (34:47). He advises vigilant updating to prevent functionality loss, especially for Firefox ESR users.

AI-Generated GitHub Repositories with Malware

The rise of AI-generated GitHub repositories deploying malware was another topic of concern. Trend Micro reported that malicious repositories use AI tools to create polished descriptions, misleading developers into downloading malware like the Smoke Loader and Luma Stealer. Gibson cautions, “beware of repos that actually, you know, they don't look like they're written by some Russian national trying to write English anymore” (43:36).

Legislative and Policy Discussions

Age Verification and Privacy Concerns

The episode delves into the complexities of legislative proposals surrounding age verification online. Google’s stance contrasts sharply with Meta’s push for legislation that could compromise user privacy by mandating data sharing without consent. Gibson explains, “Google is proposing a more comprehensive legislative framework that shares responsibility between app stores and developers” (63:34). This approach aims to balance child safety online with robust privacy protections, criticizing Meta’s strategy for introducing unnecessary privacy risks.

Spain’s AI-Generated Content Legislation

Spain introduced stringent fines for companies producing unlabeled AI-generated content, aiming to curb deepfakes and non-consensual adult content. Gibson remarks on the significance of the fines, “that’s the only real ironclad guarantee that you’re getting something that is totally reliable, totally secure, done right” (65:39). This move positions Spain as a leader in regulating AI-generated content, aligning with broader EU AI Act provisions.

UK’s Secret Court Orders to Apple for Encryption Access

A contentious issue discussed is the UK government’s secret legal orders (Technical Capability Notices) demanding Apple to enable access to encrypted iCloud backups. Despite Apple contesting these demands in closed court hearings, secrecy perpetuates distrust and calls for transparency. Gibson critiques the lack of openness, stating, “Secrecy is the authoritarian’s friend. That’s really sad” (82:34). He advocates for universally applied rules to prevent selective compliance that disadvantages companies like Apple.

Security Tools and Recommendations

Bitwarden’s Open-Source Password Management

Leo Laporte highlights Bitwarden as a trusted, open-source password manager praised for its transparency and security features. He mentions, “Bitwarden is up to date because its users contribute” (36:09), emphasizing its suitability for both individual and business use. The discussion underscores the importance of open-source solutions in verifying and enhancing cryptographic security.

Threat Locker’s Zero Trust Platform

Another recommendation is Threat Locker, a zero-trust security platform designed to block unauthorized actions and protect against known and unknown threats. Gibson explains, “It blocks every unauthorized action, protecting you from both known and unknown threats” (36:18). He highlights its applicability across industries and its role in mitigating ransomware and supply chain attacks.

Listener Feedback and Community Stories

Job Applicant Authenticity Concerns

Listener Sam Miorelli shares his experience with hiring applicants who may have used AI tools to fabricate credentials, highlighting the challenges in verifying the authenticity of job candidates. Gibson acknowledges, “There are lots of phonies out there, not just the North Koreans” (103:00), underlining the growing need for robust screening processes in recruitment.

PHP Vulnerability Experiences

Leo recounts his past mistakes with PHP server configurations, admitting, “I think somebody could upload plaintext PHP file that could then execute” (102:59). This anecdote serves as a cautionary tale, reinforcing the episode’s emphasis on securing PHP servers against RowHammer and other vulnerabilities.

Password Manager Preferences

Listener Mark Goldstein praises 1Password for its robust security model and cross-platform capabilities. He writes, “Their cross platform implementation of passkeys works great for me” (113:06), supporting the episode’s advocacy for secure, well-designed password management solutions.

Conclusion

The episode culminates with a call to action for systems administrators and everyday users alike to assess their vulnerability to RowHammer attacks. Gibson emphasizes the importance of proactive security measures, advising, “It's the only way” (111:06). The collaborative effort to gather widespread data through the Flippy RAM study aims to bridge the research gap and enhance global understanding of RowHammer's real-world impact.

Notable Quotes

• "Rowhammer is a DRAM vulnerability whereby repeated accesses to one address can tamper with the data stored at other addresses." — Steve Gibson (02:23)

• "Telegram’s design actively fights against that actually ever being proven secure." — Steve Gibson (16:05)

• "Secrecy is the authoritarian’s friend. That’s really sad." — Leo Laporte (82:34)

• "Beware of repos that actually... don't look like they're written by some Russian national trying to write English anymore." — Steve Gibson (43:36)

• "They don’t want any responsibility. They don’t want any part of this." — Steve Gibson (63:34)

Recommendations

• Test Your System for RowHammer Vulnerability: Utilize the open-source Flippy RAM framework to assess your system’s susceptibility. Participate in community studies to contribute to broader security research.

• Update PHP Configurations: Ensure PHP servers, especially those running on Windows with default XAMPP stacks, are updated to the latest versions to mitigate RowHammer and related vulnerabilities.

• Adopt Robust Password Managers: Implement open-source password managers like Bitwarden or highly secure commercial options like 1Password to enhance credential security.

• Stay Informed on Legislative Changes: Monitor and engage with ongoing legislative developments related to age verification and AI-generated content to understand their implications on privacy and security.

For more detailed insights and access to recommended tools, visit GRC.com.