Security Now 1049: DNS Cache Poisoning Returns - Ransomware Payments Plummet
Podcast: Security Now (TWiT)
Hosts: Steve Gibson & Leo Laporte
Date: October 29, 2025
Duration: ~2h 50m
Episode Overview
This episode brings Steve Gibson and Leo Laporte together for a wide-ranging discussion of contemporary security issues. The main theme centers on the alarming resurgence of DNS cache poisoning—an issue believed largely solved since 2008—and what this vulnerability means for global internet security today. The hosts also break down the dramatic plunge in ransomware payments, speculate on why recoveries still fail despite confidence, and share insights on real-world hacking stories, including the fate of young UK hackers. The show weaves together technical deep-dives, practical advice, regulatory updates, and engaging listener feedback.
Key Discussion Points & Insights
1. Lighthearted Start: Season, Clocks, and Public Naming Fun
- Steve and Leo banter about daylight savings confusion and automating clock changes.
- They highlight Britain's public-named leaf-clearing train: “Control Alt Deleaf” (13:28). Humorous and reminiscent of the “Boaty McBoatface” saga.
2. Real-World IoT Risks: Smart Vacuums Mapping & Spying
- [14:41] A blog by Harisha Hakanar Narayanan exposes a $300 iLife A11 robot vacuum streaming unapproved data, mapping homes, and ultimately being remotely “killed” after he blocked its outbound traffic.
- Narayanan discovers open Android Debug Bridge, root access, and that the company sent a remote kill command when he blocked telemetry.
- The vacuum was mapping homes in 3D via Google Cartographer.
- Discussion reveals the device might be “white-labeled” and appear in many brands (21:31).
- Security Takeaway: Any networked IoT device, especially those from lesser-known manufacturers, may be a Trojan horse for data exfiltration and remote commands.
- Steve: “Our homes are filled with cameras, microphones and mobile sensors connected to companies we barely know, all capable of being weaponized with a single line of code.” [21:31]
- Security-aware users should use isolated guest Wi-Fi with true network isolation for IoT devices.
3. International Cyber Policy: Russia and China’s Vulnerability Laws
- [32:27] Russia proposes legislation requiring all discovered vulnerabilities to be reported to the government, echoing China’s 2021 law.
- Chinese law mandates bugs be reported within 48 hours to state agencies, before any public disclosure or patch.
- This centralization is shown to drive up Chinese APT use of zero-days.
- Steve: “This all leaves very little doubt that China, as a sober and aggressive cyber war participant, is doing everything it can to marshal and weaponize the vulnerabilities...” [47:19]
- Global Security Impact: Laws like these reduce disclosures to vendors/foreign firms and encourage weaponization for offensive cyber operations.
4. Social Networks & the EU DSA: The Privacy and Compliance Landscape
- [53:56] EU Commission finds Facebook, Instagram, and TikTok in breach of the Digital Services Act:
- Not adequately supporting researcher access or user tools for reporting/challenging illegal/harmful content.
- Risk of up to 6% global revenue fines.
- Meta accused of using “dark patterns” to complicate user notifications (60:00).
- Coming accountability standards for non-public data access (October 29, 2025).
- Steve’s Analysis: The regulatory climate for Big Tech is changing rapidly. Expect more government oversight and less “wild west” freedom for giant platforms.
5. Microsoft Teams to Enable Wi-Fi Tracking of Employees
- [69:03] Microsoft Teams to roll out a feature (December 2025) to update user work location based on detected Wi-Fi.
- Initially off by default, but can be enforced by admins.
- Privacy concerns raised, especially in light of return-to-office mandates: Could companies track if you’re at Starbucks instead of HQ?
6. Ransomware Landscape: Why Payment Rates Plummet
- [74:05] Coveware reports that for the first time, only 23% of ransomware victims pay up, down from 85% in 2019.
- However, a stark stat: While 95% of companies think they can recover from a ransomware attack, only 15% succeed when tested. [73:03]
- Coveware’s report: Modern attacks split between “spray and pray” (volume ransomware) and targeted intrusions.
- Main attack methods: Remote access compromise, phishing, social engineering, and software vulnerabilities (often well-known, unpatched flaws, not zero-days).
Notable Quote:
“Even fully patched environments were compromised when legacy credentials or partial configurations reopened an old door. The lesson remains consistent: Technical remediation without procedural rigor still leaves gaps wide enough for exploitation.” (Coveware report, as quoted by Steve) [88:05]
- Steve’s Take: Security is not about “set it and forget it”—procedural discipline, monitoring, and credential hygiene are critical.
7. Listener Feedback and the Password Policy Debate
- Continued robust discussion of NIST’s newer password guidelines. [93:53]
- Steve urges IT managers to stop requiring arbitrary password changes and instead enforce minimum length and uniqueness.
- Regular password changes only necessary after a breach; using password managers and moving to passkeys/2FA is now industry best practice.
- Listener feedback underscores cultural resistance and the persistent gap between policy and user behavior.
Notable Quote:
“Implement the NIST guidelines immediately. Drop all forced password changes because they serve no purpose whatsoever, enforce minimal password length and nothing else. Take credit for bringing the light and start receiving your fellow employees’ thanks for having made their lives a bit easier. Be invited to parties. Who wouldn’t want that?” —Steve Gibson [130:57]
8. DNS Cache Poisoning Returns (!): The Main Event
- [135:50] A core segment: Recap of Dan Kaminsky’s 2008 DNS vulnerability discovery and what’s changed.
- What’s new?
- Two new vulnerabilities (CVE-2025-4778 and -4780) in BIND (and Unbound) allow attackers to predict source ports and transaction IDs due to a weak pseudo-random number generator (PRNG).
- Allows attackers to poison caches in 2025, echoing what was “fixed” 17 years ago.
- Analysis:
- “It is just unconscionable” —Steve, about any networked device (especially DNS resolvers) shipping with a weak PRNG in 2025. [153:41]
- Failures in random number generation directly compromise the most fundamental internet protocols.
- Steve reviews randomness, entropy pools, and why unpredictability is non-negotiable for security.
Notable Quotes:
“When we learn that in the year 2025, 17 years after the absolute importance of randomly selected 16 bit ports and randomly generated 16 Bitcoin query IDs, that the PRNG being used by the Internet’s most used DNS resolvers... is weak—well, you really have to shake your head.” [153:41]
“The phrase due to a weak PRNG just really annoys me because yes, no device on any busy network has any business having a weak pseudo random number generator.” [154:45]
- Bottom Line:
- If you run Bind or Unbound, patch immediately. Attack feasibility is non-trivial, but stakes—widespread redirection of traffic, spoofing of authentication—are immense.
Memorable Quotes & Moments
- “You could even use that NSA sketchy prng and be in better shape than this.” —Steve, on how bad current DNS PRNGs are [04:00]
- “Our homes are filled with cameras, microphones and mobile sensors connected to companies we barely know, all capable of being weaponized with a single line of code.” —Narayanan (14:44); echoed by Steve
- “The next 10 years are not going to look like the last 10 years.” —Steve, on tech regulation [64:46]
- “Take the high road… be invited to parties. Who wouldn’t want that?” —Steve, to IT pros about embracing sane password policies [130:57]
- “If you’re in the 85% who thought you were covered and you weren’t—veeam.com, that’s all I can say. It’s a solvable problem.” —Leo [111:09]
- “You need entropy in order to have security.” —Steve [147:00]
Important Segment Timestamps
- [13:28] – Picture of the week: Control Alt Deleaf
- [14:41] – IoT vacuum privacy story & teardown
- [32:27] – Russia/China vulnerability disclosure laws
- [53:56] – EU DSA compliance actions and fines
- [69:03] – Microsoft Teams Wi-Fi tracking
- [74:05] – Dramatic drop in ransomware payments
- [88:05] – Coveware’s “How Hackers Get In” analysis
- [93:53] – Password policy debate & NIST update
- [135:50] – Main event: DNS cache poisoning’s return, Bind/Unbound vulnerabilities
- [147:00] – Why randomness and entropy matter for security
- [162:20] – Explaining seeds, entropy, and PRNGs
- [166:11] – Trivia: The Dans of cryptography/security
Tone & Style
As always, Steve and Leo maintain a conversational and approachable tone, blending deeply technical discussion with practical security advice, personal anecdotes, and a touch of humor. Listener questions are answered thoughtfully and at length, and both hosts show empathy for both end-users and beleaguered IT professionals while never shying from holding vendors and developers to account.
Summary for Listeners
If your job is to keep infrastructure safe, this episode is essential:
- Patch DNS resolvers (Bind, Unbound) immediately due to a real, renewed risk of cache poisoning.
- Do not blindly trust IoT devices; segment them with network isolation.
- Ransomware payments are dropping, but most organizations' backups still fail under pressure—test your recovery plans!
- Stay abreast of changing laws—both regulatory and adversarial.
- Drop forced password rotation, embrace modern authentication, and, yes, you’ll be invited to parties.
For the cyber-curious and professionals alike, Steve and Leo deliver another masterclass in practical, real-world security.
Links & Further Resources:
- Coveware Q3 2025 Ransomware Report (see show notes)
- GRC’s DNS Spoofability Test
- Dan Goodin’s Ars Technica article (Oct 2025)
- NIST’s latest password guidelines (summarized in show)
- Security Now episode/YouTube page for full notes/transcript
“Take the high road. Implement the NIST guidelines immediately… Be invited to parties. Who wouldn’t want that?” – Steve Gibson [130:57]