All TWiT.tv Shows (Audio) – Security Now Episode 1020: Multi-Perspective Issuance Corroboration

Release Date: April 9, 2025

Hosts: Leo Laporte and Steve Gibson

Introduction

In the 1,020th episode of Security Now, hosted by Leo Laporte and Steve Gibson, the duo delves into a myriad of pressing security issues, ranging from critical vulnerabilities in widely-used software to significant policy changes affecting digital security practices. The episode, named "Multi-Perspective Issuance Corroboration," serves as a comprehensive exploration of current cybersecurity challenges and advancements.

Key Discussions and Insights

1. Multi-Perspective Issuance Corroboration (MPIC)

At [05:24], Steve Gibson introduces the main topic of the week: Multi-Perspective Issuance Corroboration (MPIC). This new requirement, unanimously adopted by the CA Browser Forum, mandates Certificate Authorities (CAs) to perform domain control validations from multiple geographic and network perspectives to mitigate the risk of Border Gateway Protocol (BGP) attacks and prefix hijacking.

Notable Quote:

"MPIC enhances existing domain control validation methods by reducing the likelihood that routing attacks can result in fraudulently issued certificates."
— Steve Gibson [05:27]

2. Canon Printer Driver Vulnerabilities

Steve details a severe vulnerability in Canon printer drivers, rated with a critical CVSS score of 9.4 ([15:00]). This flaw allows malicious actors to execute arbitrary code on affected systems without requiring elevated privileges or user interaction. The vulnerability, identified in the Enhanced Metafile (EMF) processing of the printer driver, poses a significant threat, especially since the drivers are signed by Microsoft, making exploitation straightforward.

Notable Quote:

"The vulnerability could allow malicious actors to compromise printing operations and, in severe cases, execute arbitrary code on affected systems."
— Steve Gibson [20:32]

3. Fisher Paykel's Exceptional Cybersecurity Practices

In response to listener feedback, Leo and Steve discuss the exemplary cybersecurity measures implemented by Fisher Paykel, a home appliance manufacturer. The company has integrated robust security protocols, such as WPA3, security-by-design principles, and regular penetration testing, to secure their connected appliances.

Notable Quote:

"They have security controls that provide independent redundancy to protect against malicious attacks."
— Steve Gibson [30:27]

4. France’s Phishing Test on School Children

Steve recounts a French government initiative where over two and a half million school children were subjected to a phishing test. The attempt to engage students with a lure promising game cheats resulted in only about 8% being deceived, showcasing a commendable level of cybersecurity awareness among the youth.

Notable Quote:

"French school children are not gullible. It turns out the French government tried to trick them and failed."
— Leo Laporte [43:14]

5. WordPress MU Plugins Vulnerability

The discussion shifts to WordPress, highlighting a vulnerability introduced three years prior with the "Must Use Plugins" (MU Plugins) feature. Hackers have exploited this by embedding malware within MU Plugins, which are automatically enabled and hidden from regular admin views, making detection and removal challenging.

Notable Quote:

"Hackers are breaking into WordPress sites and dropping malware in the MU plugins folder, knowing it will get automatically executed and won't show up in the site back end management."
— Steve Gibson [44:04]

6. Oracle’s Security Breaches

Steve addresses recent security breaches at Oracle, including unauthorized access to Oracle Health’s medical data and theft from their cloud services. Despite significant evidence, Oracle has denied these breaches, failing to comply with mandatory reporting requirements set by the U.S. Securities and Exchange Commission (SEC).

Notable Quote:

"Oracle has chosen to remain entirely silent, even though doing so is a clear breach of reporting law."
— Steve Gibson [51:41]

7. Utah’s App Store Accountability Act

Leo and Steve explore Utah's newly signed App Store Accountability Act, which mandates age verification and parental consent for users under 18 interacting with certain apps. This legislation marks a significant shift in regulating digital content consumption among minors.

Notable Quote:

"If we're going to decide that children's age matters, then responsibility needs to be taken somehow."
— Steve Gibson [51:42]

8. AI Bots DDoSing Free and Open Source Software (FOSS) Repositories

A concerning trend is discussed where AI-driven bots are inadvertently causing Distributed Denial of Service (DDoS) attacks on FOSS repositories. These bots, driven by the insatiable appetite for data to train AI models, are overwhelming critical infrastructure, leading to increased downtime and bandwidth costs.

Notable Quote:

"The arms race between data-hungry bots and those attempting to defend open source infrastructure seems likely to escalate further."
— Steve Gibson [67:58]

9. Gmail’s “End-to-End” Encryption Claims

The hosts analyze Google's announcement of purported end-to-end encryption for Gmail's corporate users. While Google claims that encryption occurs within the user's browser, Steve argues that true end-to-end encryption requires that only the sender and receiver have the means to encrypt and decrypt messages, which isn't fully achieved in this implementation.

Notable Quote:

"It is an interesting regulatory hack, but a hack it is."
— Steve Gibson [110:41]

10. Apache Parquet’s CVE 10.0 Vulnerability

Concluding the technical discussions, Steve warns about a critical CVE (CVE-2025-30065) affecting Apache Parquet, an open-source columnar storage format. This vulnerability allows for remote code execution, underscoring the necessity for immediate updates to mitigate potential exploitation.

Notable Quote:

"If you're using Parquet, update immediately because you want to beat the bad guys to it."
— Steve Gibson [114:12]

Advertisements and Sponsor Messages

Throughout the episode, sponsors such as Material Security, ThreatLocker, Thinkst Canary, Bitwarden, and DeleteMe are featured, each highlighting their contributions to enhancing cybersecurity measures. Highlights include:

• Material Security: Emphasizes their cloud-focused security toolkit for email protection, leveraging intelligent automation to bolster security without hindering productivity.

• ThreatLocker: Promotes their Zero Trust platform designed to prevent ransomware and limit lateral movement within networks.

• Thinkst Canary: Showcases their honeypot solutions that act as tripwires for detecting unauthorized access within networks.

• Bitwarden: Advocates for their secure password management solutions, essential for both individual and enterprise users.

• DeleteMe: Focuses on their services to remove personal information from data brokers, enhancing privacy and security.

Notable Sponsor Quote:

"Protect your digital workspace, empower your team, secure your future with Material."
— Steve Gibson [86:24]

Listener Feedback and Interactions

The episode features various listener interactions, including:

• Issues with Two-Factor Authentication: One listener experiences incessant authentication reset requests, highlighting the importance of robust security measures.

• Moving Away from Windows: An anonymous security researcher discusses transitioning to open-source solutions to avoid escalating licensing costs from Microsoft.

• Buffer Bloat Tribute: A heartfelt mention of Dave Todd, a pioneer in identifying and resolving buffer bloat issues, underscores the community’s appreciation for contributions to internet robustness.

Notable Listener Quote:

"I've been a long-time Security Now listener and I've always appreciated your insightful commentary and analysis mixed with some humor on all things related to cybersecurity."
— Steve Gibson [125:02]

Concluding Remarks

As the episode wraps up, Leo and Steve reflect on the enduring relevance of Security Now, celebrating its longevity and the community it has built over two decades. They emphasize the importance of staying informed and proactive in the ever-evolving landscape of cybersecurity.

Notable Closing Quote:

"If privacy is important to you, this is a really good way to do it."
— Leo Laporte [155:14]

Conclusion

Episode 1020 of Security Now offers a thorough examination of contemporary cybersecurity threats and innovations. From critical software vulnerabilities and policy changes to the unintended consequences of AI advancements, the hosts provide listeners with valuable insights and actionable advice to navigate the complex digital security terrain.

For detailed show notes, transcripts, and additional resources mentioned in this episode, visit grc.com.