Security Now 1033: Going on the Offensive – Detailed Summary
Release Date: July 9, 2025
Host: Steve Gibson
Co-Host: Leo Laporte
Podcast Network: TWiT
Description: Leo Laporte and Steve Gibson delve into pressing security and privacy issues, offering insightful discussions with experts in technology.
1. Introduction and Key Topics
The episode, titled "Going on the Offensive," kickstarts with a brief overview of the main subjects to be covered:
- Zero Days and the US Cyber Arsenal: Discussion on how the United States is stockpiling zero-day vulnerabilities.
- Israeli Spyware Exploits: Examination of Israeli companies utilizing zero-days to target journalists in Italy.
- Supreme Court's Age Verification Ruling: Analysis of the recent Supreme Court decision permitting age verification on the internet and its implications.
2. Zero Days and Offensive Cyber Capabilities
Steve Gibson introduces the concept of zero-day vulnerabilities, emphasizing their strategic importance in cyber warfare.
[07:06] Steve Gibson: "Zero day exploitation is becoming more difficult, opaque, and expensive, leading to feast or famine contract cycles."
Winona Desambre Bernson, a former Google security engineer and Atlantic Council fellow, authored a comprehensive report titled "Crash Imper, Exploit and Burn: Securing the Offensive Cyber Supply Chain to Counter China in Cyberspace." Key insights from the report include:
- US vs. China Cyber Capabilities: The US faces challenges in securing a reliable offensive cyber supply chain compared to China's more streamlined and aggressive acquisition methods.
- Middlemen Dilemma: The presence of middlemen in the zero-day marketplace inflates costs and reduces transparency, making it harder for the US to procure exploits efficiently.
- Recommendations: Strengthening the supply chain by fostering domestic talent, simplifying acquisition processes, and adjusting policy frameworks to enhance counterintelligence strategies.
[24:05] Steve Gibson: "It's clear that the US government itself needs to emerge from the shadows. It needs to become a well-advertised, high-value, explicit buyer of zero-day exploits."
3. Israeli Spyware and Targeted Attacks
The episode scrutinizes the rise of Israeli commercial spyware firms and their impact on global security:
- Companies in Focus: NSO Group (Pegasus), Quadream (Rain), Candiru (Sato Tech Ltd.), and the newly surfaced Paragon with its Graphite spyware.
- Recent Incidents: In April 2025, Paragon's Graphite spyware was used to target journalists in Europe and Italy through sophisticated zero-click attacks.
[07:25] Steve Gibson: "These Israeli companies are not just selling to rogue states; they're actively monitoring journalists, undermining press freedom."
Apple's Response: Apple identified and mitigated the zero-day exploited by Paragon with a patch in iOS 18.3.1 (CVE2025-43200).
[31:04] Steve Gibson: "Apple detected a targeted mercenary spyware attack against your iPhone."
4. Supreme Court's Age Verification Decision
The Supreme Court upheld a Texas law mandating proactive age verification for accessing pornographic content online, sparking debates on privacy and free speech:
-
Majority Opinion: Justice Clarence Thomas argued that adults have no First Amendment right to avoid age verification for obscene materials.
[112:23] Justice Clarence Thomas: "Adults have no First Amendment right to avoid age verification for obscene materials."
-
Dissenting Opinion: Justice Elena Kagan expressed concerns about the law imposing unconstitutional burdens on adults' access to protected speech.
[112:25] Justice Elena Kagan: "The First Amendment protects those sexually explicit materials for every adult."
Implications:
- Privacy Concerns: Age verification systems may infringe on users' privacy, requiring intrusive measures to prove age.
- Potential for Overreach: Risks of expanding the law to include broader content classifications, affecting free speech.
[122:43] Steve Gibson: "Having a 'Yes, I'm 18' button does nothing. It's like, you know, the handle on the door is unlocked."
5. Updates on Cybersecurity and Software Vulnerabilities
WinRAR Vulnerability:
-
A remote code execution vulnerability (CVE-2025-27198) was discovered in WinRAR versions before 7.12. Users are urged to update to mitigate risks.
[87:45] Steve Gibson: "WinRAR just moved to version 7.12, and everyone using it should update. You just go to win-rar.com/download.html."
LibXML2 Maintenance Crisis:
-
Nick Wellenhoffer, the maintainer of LibXML2, announced his intention to step down due to the overwhelming burden of managing security issues without adequate support.
[75:07] Nick Wellenhoffer: "This project will never be maintained again. Most core parts of LibXML2 should be covered by Google or other bug bounty programs."
-
Red Hat's Response: Michael Catazaro from Red Hat emphasized the critical nature of LibXML2 and the need for corporate support to maintain its security.
[78:47] Michael Catazaro: "If nobody else wants to help maintain LibXML2, then security issues will surely reach the disclosure deadline and become public before they are fixed."
6. Legislative and Regulatory Actions
Canada and the UK’s Common Good Cyber Fund:
-
Announcement: On June 17th, during the G7 Summit in Alberta, Canada, the UK and Canada launched the Common Good Cyber Fund, initially funded with $5.7 million.
-
Purpose: To support nonprofits providing core cybersecurity services that protect civil society and enhance global internet security.
[50:59] Steve Gibson: "The fund will support nonprofits that maintain and secure core digital infrastructure, including DNS, routing, and threat intelligence systems for the public good."
US Crackdown on Bitcoin ATMs:
-
Reasons: Rising scams and fraud associated with cryptocurrency ATMs have prompted multiple US states to enforce stricter regulations, including deposit caps and enhanced oversight.
-
Impact: States like Illinois, Vermont, Nebraska, Arizona, Oklahoma, and Rhode Island have enacted laws to limit the abuse of crypto kiosks, particularly protecting older Americans from fraud.
[54:24] Leo Laporte: "Cryptocurrency transactions are irreversible; it's like a roach motel for money."
Russia’s Massive IMEI Database:
-
Development: Russia is creating a centralized IMEI database to block individual devices from mobile networks, ostensibly to combat financial fraud.
-
Concerns: This expansion raises significant privacy and surveillance issues, reminiscent of authoritarian overreach.
[124:16] Steve Gibson: "It's a big brother move, throttling Cloudflare traffic and limiting data flow to 16k bytes."
7. Commercial Use of Open Source Software
Challenges with LibXML2:
- Issue: As open-source libraries like LibXML2 become integral to major operating systems (Windows, macOS, Linux), maintaining their security falls on volunteer maintainers, leading to burnout and potential security lapses.
- Impact: Without proper support and funding, critical vulnerabilities may remain unpatched, exposing millions globally.
[75:30] Nick Wellenhoffer: "It's foolish to use this software to process untrusted data."
8. Ransomware Attack Trends
Sophos Analysis:
-
Root Causes:
- Exploited Vulnerabilities: 32-36% of ransomware attacks.
- Compromised Credentials: 23-29%.
- Malicious Emails: 18-23%.
- Phishing: 11-18%.
- Brute Force Attacks: 3-6%.
- File Downloads: 1-2%.
-
Statistics:
- 2023: 1,974 attacks.
- 2024: 2,974 attacks.
- 2025 (YTD): 3,400+ attacks.
[95:00] Steve Gibson: "Exploited vulnerabilities and compromised credentials account for over half of all ransomware attacks."
9. Conclusion and Final Thoughts
Steve Gibson emphasizes the critical need for the US to enhance its offensive cyber capabilities to counteract China's advancements. He advocates for:
- Direct Engagement: Encouraging the US government to become a transparent and high-value buyer of zero-day exploits.
- Eliminating Middlemen: Streamlining the acquisition process to ensure fair compensation for hackers without excessive markups.
- Protecting Hackers: Offering legal protections to security researchers to incentivize the discovery and responsible disclosure of vulnerabilities.
[99:06] Steve Gibson: "If having a strong deterrent helps to keep the peace, then let's get one."
Leo Laporte echoes these sentiments, highlighting the precarious balance between enhancing security and safeguarding privacy and free speech.
Notable Quotes
- Steve Gibson [07:06]: "Zero day exploitation is becoming more difficult, opaque, and expensive, leading to feast or famine contract cycles."
- Justice Clarence Thomas [112:23]: "Adults have no First Amendment right to avoid age verification for obscene materials."
- Steve Gibson [24:05]: "It's clear that the US government itself needs to emerge from the shadows. It needs to become a well-advertised, high-value, explicit buyer of zero-day exploits."
- Nick Wellenhoffer [75:07]: "It's foolish to use this software to process untrusted data."
- Steve Gibson [99:06]: "If having a strong deterrent helps to keep the peace, then let's get one."
Powerful Insights and Conclusions
-
Offensive Cyber Supply Chain: The US needs to restructure its approach to acquiring zero-day vulnerabilities to remain competitive against China's robust cyber capabilities. This involves fostering domestic talent, reducing reliance on opaque middlemen, and instituting legal protections for researchers.
-
Commercial Spyware Threat: Israeli spyware firms are increasingly targeting journalists, raising ethical and security concerns. Apple's proactive patching underscores the ongoing arms race between spyware developers and technology vendors.
-
Age Verification vs. Privacy: The Supreme Court's decision to uphold Texas's age verification law for pornographic sites poses significant challenges to online privacy and free speech, highlighting the tension between regulation and individual rights.
-
Open Source Maintenance Crisis: The sustainability of critical open-source projects like LibXML2 is jeopardized by overreliance on volunteer maintainers, emphasizing the need for corporate support and fair compensation.
-
Ransomware Resurgence: The consistent rise in ransomware attacks, primarily driven by exploited vulnerabilities and compromised credentials, underscores the urgent need for robust cybersecurity defenses and proactive vulnerability management.
This episode of Security Now provides a comprehensive exploration of the current landscape in offensive cyber operations, highlighting the strategic imperatives for the United States to bolster its cyber defenses and offensive capabilities in the face of evolving global threats.