Summary6 min read

Security Now Episode 1068: The Call Is Coming From Inside the House

Live from Zero Trust World 2026
Date: March 5, 2026
Hosts: Steve Gibson & Leo Laporte

Episode Overview

This special live episode, recorded at Zero Trust World 2026 in Orlando, dives deep into the evolving threats to cybersecurity, focusing on the shift from perimeter-based defenses to tackling internal vulnerabilities. Steve Gibson and Leo Laporte reflect on their decades-long journey in security, analyze the rise of extortion-driven attacks fueled by cryptocurrency, and discuss why internal threats—often caused by social engineering and user mistakes—are now the critical frontier (“the call is coming from inside the house”). The episode is rich with anecdotes, practical tips, and a candid assessment of modern enterprise security challenges.

Key Discussion Points & Insights

1. Evolution of Cybersecurity (04:13–10:39)

Reminiscing about the early days of firewalls & perimeter defense.
Noting how cyberattacks have shifted focus—from curiosity-driven viruses and DDoS attacks to financially motivated extortion and ransomware.

Quote:
"Early on, it was all about protecting the perimeter... things have changed quite a bit."
—Steve Gibson (10:16)

The critical influence of cryptocurrency in transforming mischief into organized, profitable cybercrime.

Quote:
"The most pivotal defining change was the emergence of cryptocurrency because it was the ability for bad guys to extort and for there to be a way for them to get paid."
—Steve Gibson (11:21)

2. Extortion & The Economics of Attacks (11:45–13:49)

Attackers don’t care about data per se; their motive is extortion.
Social Security numbers and personal data are already compromised; the leverage is in the threat to release or withhold it.

Quote:
"You have extortability, right? And so this tremendous pressure is motivating endless cleverness.”
—Leo Laporte (35:00)

3. The Futility of Chasing the Perimeter (13:49–20:43)

Defending IT budgets: It's hard to “prove a negative” (i.e., your team’s effectiveness is invisible when everything works).
Despite improved perimeter defenses, authentication is a continual weak point.
Recent critical Cisco SD-WAN breach as an example of authentication failure ("CVE 10" severity).

Quote:
"I've been saying for a while now on a podcast that authentication doesn't work. If it did, we wouldn't keep over and over and over seeing serious problems with authentication failing."
—Steve Gibson (17:13)

Why relying only on authentication, rather than supplementing with IP/packet filtering, is risky.

4. Layered Security — Simple but Crucial Steps (19:31–25:14)

Simple IP filtering can greatly reduce exposure.
Even professionals like Steve and Leo admit to near-mistakes and ongoing log-in attempts on their personal networks.
Port obfuscation isn’t a silver bullet, but it reduces opportunistic attacks.

Quote:
"Security through obscurity doesn't work. But you said, no, you should still use [non-default ports]...It just cuts down on opportunistic attack."
—Steve Gibson (24:53)

Importance of fail2ban, regular port scanning, and whitelisting to bolster internal network defense.

[Main Segment] The Internal Threat: Social Engineering & Endpoint Vulnerabilities

(30:36–46:25)

1. The Human Element — Social Engineering Evolution

Attackers increasingly exploit users through sophisticated social engineering as technical barriers harden.
The Lapsus$ and "ShinyHunters" groups hire individuals (prefer women’s voices) to run realistic, manipulative calls to customer service for SIM swaps and account takeovers.

Quote:
"They're hiring women and paying them a lot of money...to place social engineering calls, calls with a woman's voice. Under the logic that will be more convincing."
—Steve Gibson (31:35)

Even experts are vulnerable; near-misses and phishing attempts recounted by both hosts.
Internal accounting departments are prime phishing targets through invoice fraud.

2. Zero Trust & Network Segmentation

The "final frontier" is not evil employees, but regular users making mistakes.
Traditional "big switch" network architecture leaves internal systems overly open; lateral movement is too easy post-breach.
App whitelisting, though painful, is a powerful mitigation.
Shadow IT (unauthorized software) is a risk vector; enterprises must restrict what runs internally.

Quote:
"The call is your employees. Let's be frank, right?...The final weakness...is not somebody who's maliciously attempting to do something, but somebody who makes a mistake."
—Leo Laporte (33:33–39:53)

3. Principle of Least Privilege: Theory vs. Reality

Hard to practice: “Try telling the CEO he can’t surf the web the way he wants.”
Engineer for the inevitability of endpoint compromise—plan what happens if any device is suborned.

Quote:
"Ask yourself what happens if any endpoint in the enterprise is malicious? Does it have too much privilege?"
—Leo Laporte (42:08)

Network segmentation, departmental restriction, and controlling lateral movement are essential.

[Solutions & The Future] Technologies & Cultural Changes

(43:19–50:30)

1. Zero Trust in Practice

“Zero Trust” is more than a buzzword: it means treating every endpoint, connection, and user as untrusted by default.
Requires continuous authentication, segmenting internal networks, and restricting access by department or function.
Users will need cultural buy-in as security often means jumping through “hoops” (e.g., re-authentication, loss of convenience).

Quote:
"It seems like, though, if you really implement true zero trust, that would be easier in the long run. The hard thing is the social thing...super gluing their USB ports."
—Steve Gibson (43:19)

2. Authentication’s Next Act: Biometrics & Passwordless

The likely future: Pervasive biometrics (fingerprints, iris scans) for seamless but strong continual authentication.

Quote:
"Where we're going to end up being is pervasive biometrics within the enterprise—iris or fingerprint or a thumbprint on your keyboard..."
—Leo Laporte (44:40)

Passwordless technologies are improving the user experience and security.

3. AI: Defensive Ally or Uncharted Threat? (46:25–50:46)

AI is still in its infancy for security—“we're at the 1% point.”
Potential for AI agents monitoring endpoints to warn users against phishing, shady URLs, suspicious activity in real time (like a smart, local, privacy-respecting “nanny”).
Still evolving: AI coding assistants may reduce vulnerability creation, but need domain expertise to avoid subtle errors.

Quote:
"Having a local AI which is looking over their shoulder all the time...keeping them from pasting something on their clipboard into the run dialogue and hitting enter...and says, whoops, hold on a second."
—Steve Gibson (48:15)

Predicts AI will become a key line of defense against both external and internal threats.

Notable Quotes & Memorable Moments

"What could possibly go wrong?" – The duo's long-standing catchphrase, echoing through multiple segments (07:37).
“You do. You have extortability” — Leo Laporte, on why every company is a target (34:58).
“Ask yourself what happens if any endpoint... is malicious?” — Leo Laporte (42:08).
“The call is your employees. Let's be frank, right?” — Steve Gibson (33:33).

Timestamps for Important Segments

[04:13] Introduction & Host Bios
[10:39] The Rise of Extortion & Ransomware
[13:49] Defending IT Budgets & The "Proving a Negative" Problem
[17:13] Why Authentication Fails & The Cisco SD-WAN Breach
[24:53] Port Security & The Power of (Some) Security Through Obscurity
[30:36] Where Is The Biggest Threat? (Social Engineering, Internal Mistakes)
[33:33] “The call is your employees” — Social Engineering, Invoices, Human Mistakes
[39:01] Network Segmentation & Least Privilege Challenges
[43:19] Implementing Zero Trust & Cultural Pushback
[44:40] Biometrics & The Future of Authentication
[46:25] AI: The Next Security Layer (AI Nanny Concept)

Closing Thoughts

Steve and Leo urge organizations to face the new reality: Perimeter defenses are necessary, but no longer sufficient. Real security means re-engineering internal trust, reducing user and endpoint permissions, and supplementing human vigilance with technical enforcement—security must be “zero trust” all the way down. Continuous adaptation, layered defenses, and in the near future, assistance from AI “watchdogs” are the best path forward.

"Keep an eye out for agents that keep your employees from making mistakes. I think that's going to be serious work."
—Steve Gibson (50:34)

For More

Find all Security Now episodes & show notes at TWiT.tv/sn, or subscribe in your favorite podcast app.

Loading summary

Transcript243 lines

[00:00]
Steve Gibson
It's time for Security Now. That's Steve Gibson in the flesh. Leo.
[00:04]
Leo Laporte
I'm Leo laporte.
[00:05]
Steve Gibson
We're live in Orlando, Florida for Zero Trust World. Steve's presentation, the calls coming from inside the house and extra security now coming up and oh, we better get going. We're on.
[00:19]
Announcer
This episode of Security now is brought to you by Threat Locker. Threat Locker's Zero Trust platform blocks every unauthorized action by default, stopping known and unknown threats, including VM based malware that that evades traditional antiviruses. Ring fencing constrains tools and remote management utilities preventing lateral movement or mass encryption. Threat Locker works across all industries, supports Mac environments, delivers comprehensive visibility and control, and provides 24.7us based support. Trusted by JetBlue, Heathrow Airport, the Indianapolis Colts and the Port of Vancouver and recognized with G2 high performer and best support for enterprise summer 2025 peerspot number
[01:02]
Steve Gibson
one in application control.
[01:03]
Announcer
Get best functionality and features. 2025 get unprecedented protection quickly, easily and cost effectively. Visit threatlocker.com TWIT to get a free 30 day trial and learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. That's threatlocker.com TWIT
[01:24]
Steve Gibson
podcasts you love from people you trust. This is Twit.
[01:34]
Announcer
This is Security. Episode 1068 recorded live Wednesday, March 4, 2026 at Zero Trust World. 2026 the call is coming from inside the house.
[02:00]
Event Host
All right, welcome back everybody. It's time to close this out. This is our final main stage session of the day. Security Now. The call is coming from inside the house. So for years we've built stronger perimeters, better firewalls, better detection, better external defenses, and we got pretty good at it. But the next frontier isn't outside. It's inside. Some of the biggest breaches in recent years didn't happen because the perimeter failed. They happened because internal systems were overturned. Too much access, too little segmentation, policies built on assumptions instead of verification. Zero Trust was born to solve exactly that problem. And there are few voices that are more respected in this space than the hosts of Security Now. Steve Gibson, founder and CEO of Gibson Research Corporation, has been programming since 1970 and brings decades of deep technical insight on modern Internet security. His passion for low level computing and secure system design is legendary. And Leo Laporte, founder of this Week in Tech Network, has been hosting and shaping Tech Media since 2005, bringing clarity, context and conversation to millions of listeners worldwide. Today's session is a live recording of the Security now podcast. And yes, it will run A little bit longer by design. Followed by a meet and greet in the Solutions Pavilion. This is our final session and this will be a strong finish. Zero Trust World, are we ready? I want more of those guys. Zero Trust, are we ready? Ladies and gentlemen, Steve Gibson and Leo laporte.
[04:14]
Steve Gibson
Hey everybody. Great to see you. Thank you for coming. This is Steve Gibson.
[04:19]
Leo Laporte
We got some people.
[04:20]
Steve Gibson
Yeah, let's sit down, Steve. And we're going to talk. So I never on security now, have I gone through your full bio.
[04:28]
Leo Laporte
Thank God.
[04:29]
Steve Gibson
So I decided to ask AI who you are. So get ready. And if I say anything wrong, it's
[04:35]
Leo Laporte
going to be hallucinating.
[04:38]
Steve Gibson
You got. Did you start writing software when you were 13 years old?
[04:43]
Leo Laporte
Okay, well they got that right.
[04:44]
Steve Gibson
PDP 8. That's right for Data General. It says Data General. See, that's a lie for deck. Deck. Close. Okay, close. When he was 15, Steve got a job high school student working a summer job working at the Stanford AI Research Lab. Sail. That's pretty amazing. And at the Sail Lab you were working on speech synthesis. Now this is what 1973, this was in.
[05:15]
Leo Laporte
No, 70, like 71.
[05:17]
Steve Gibson
Very early. Yeah. The speech synthesis he worked on ended up as part of Texas Instruments. Speak and Spell. Did you ever, when you were little, did you have that thing you press
[05:27]
Leo Laporte
the button if anybody remembers those things.
[05:29]
Steve Gibson
A, B, C. He also wrote a light pen application for the Apple and the Atari. Right?
[05:39]
Leo Laporte
Yeah, hardware.
[05:41]
Steve Gibson
I'll skip the ad agency part. Nobody cares about that now. He in 1985 founded GRC, the Gibson Research Corporation. And one of the things that I first became aware of Steve, was your InfoWorld column, which I loved in 1986. Tech Talk. From 1986 to 1993, Steve wrote about technology and accessible fascinating way. He's always been a little bit of an iconoclast, kind of an outsider banging at the wall of technology. And I loved that. In fact I started writing for InfoWorld because of you. So thank you for that. Now when you were in 2001 when you were working in security, you got mad at Microsoft.
[06:30]
Leo Laporte
I do that frequently.
[06:32]
Steve Gibson
You may remember that in Windows XP they released something a capability to use RAW sockets which meant you could impersonate any address.
[06:42]
Leo Laporte
So the big problem was that as we know, Bill Gates wanted to compete with the Source and CompuServe.
[06:48]
Steve Gibson
So he was doing what a good
[06:50]
Leo Laporte
idea, the Microsoft network, msn. And that was going to be dial up modems and things. And then he got surprised by the Internet, which was not the what he expected to have Happen. So they had Windows, but it was like, with a modem. And so they got a TCP IP stack and stuck it on Windows and put it on the Internet. So this was Windows on the Internet. And this predated NAT routers. We didn't have NAT routers then. So my company, I thought, oh, the Internet's happening. Let's put our machines on the Internet. And it turned out that other people had Windows and all of their C drives were shared on the Internet. It was freaky.
[07:37]
Steve Gibson
I mean, this gave rise to a slogan that we often use at Security now, what could possibly go wrong?
[07:44]
Leo Laporte
And so this was the genesis of Shields Up. I created Shields up to show people
[07:50]
Steve Gibson
your ports are open.
[07:51]
Leo Laporte
And so that was my first.
[07:53]
Steve Gibson
How many of you have used Shields up to secure your networks or secure at home? I use it every time I set up a new router.
[08:00]
Leo Laporte
So its genesis was that Microsoft just stuck Windows on the Internet, which was the original upset. And then, as you were saying,
[08:10]
Steve Gibson
they
[08:10]
Leo Laporte
took an operating system, Windows 2000, which was more enterprise oriented, and they created XP. But because they took the network stack from 2000 to XP, consumers were gonna have the ability to generate raw data on the Internet, which was gonna create a DDoS nightmare.
[08:34]
Steve Gibson
In fact, you did get DDoS by a raw socket attack. Shortly thereafter. You also got a lot of hate, not only from Microsoft, but people in general said, what? You're all worried about raw sockets? Three years later with Service Pack 2, Microsoft said, oh, yeah, maybe you're right.
[08:49]
Leo Laporte
Well, and there was no firewall in Windows until they introduced it in xp, but it was disabled by default until Service pac.
[08:57]
Steve Gibson
So I first met Steve. I'll give you an idea of how long ago it was. He had just written a program called Trouble in Paradise, which was able to diagnose the click of death on a zip drive. Do you remember Zip drives? Yeah, that's. Yes. Who could forget? And we had him on the screensavers. The TV show that I was doing this was probably 1998, talking about the Clique of Death. And we've been friends ever since. We first got together to do a podcast 21 years ago. We've been doing.
[09:31]
Leo Laporte
This was your idea. You and I were doing some TV up in Canada because you had tech TV and call for help, right? And during our break, we would do four programs in one day. And between, like, they had to rewind their tapes or something. And so between that, you and I were just talking. You said, hey, how would you. What would you think about doing a podcast about Security. And I said, a what cast?
[09:57]
Steve Gibson
And this was very early on. You were also concerned that there wouldn't be enough material.
[10:01]
Leo Laporte
Oh, we're going to run out of
[10:01]
Steve Gibson
stuff to talk about 21 years later. The show isn't getting shorter by any means. It's getting longer. We're going to do a short version of security now today. Don't worry, I promise we'll get you to the cocktail party in time. Steve proposed actually, over this 21 years, we've seen big changes in security. Early on, it was all about protecting the perimeter. It was all about firewalls, as you mentioned. But things have changed quite a bit. And I think it was. Wasn't so long ago, maybe last year, where you started to say, you know, there's a different issue at hand, and this is where the title, the call, the Threat is coming from inside the house.
[10:40]
Leo Laporte
So, yes, the. One of the. Again, we've been doing this for 21 years. I remember early in the podcast talking with you about the fact that there were viruses. You know, I mean, there was mischief being conducted. You know, DDoS attacks. People were like, you know, getting pushed off the Internet, but there didn't seem to be a purpose. There was no reason for it. It was just, you know, born for the lulls. Yeah. I mean, it was just to see if it could happen. I think that probably the most pivotal defining change was the emergence of cryptocurrency
[11:21]
Steve Gibson
because
[11:24]
Leo Laporte
it was the ability for bad guys to extort and for there to be a way for them to get paid. That turned this from hobbyist hijinks to, you know, foreign state actors having a motivation.
[11:46]
Steve Gibson
You may remember in the early days, they were asking for you to go down to the drugstore and buy cards that you would then mail to them. Not the best way to extort, but as soon as you could do it anonymously with crypto, everything changed.
[12:01]
Leo Laporte
Everything changed. And so I think what we've seen is that, you know, one of the things I wanted to make sure I shared today was to for everyone to understand that the bad guys don't care about the data that they're taking. Right. I mean, you and I, after that most recent data breach last year, we looked up our Social Security numbers.
[12:30]
Steve Gibson
Oh, yeah, the data broker breach.
[12:33]
Leo Laporte
The personal data is out there. It's already escaped. But the value of cryptocurrency is that it allows extortion. And if bad guys are able to get into an organization's network and maybe cripple their machines, but certainly exfiltrate their Data, then they have something that they can ransom. And in the same way that a kidnapper doesn't want the entity, the person they've kidnapped, that person's a liability to them. You know, the value is extortion.
[13:12]
Steve Gibson
Right.
[13:13]
Leo Laporte
And so one of the things that has changed because, and we heard this 20 years ago, nobody would want to attack us. You know, why would anyone want to attack our. Our enterprise, our organization? It is for the sake of extortion. It is so that they can say, we've got your data. You may have a backup of it, but what's it worth to you for us not to tell the world or to leak the personal and business data that we have stolen from you?
[13:49]
Steve Gibson
Right. So they have the means, they have the motive.
[13:53]
Leo Laporte
The motive is extortion and payment.
[13:55]
Steve Gibson
Yeah, the opportunity. It's really up to these guys to keep them from getting the opportunity.
[14:02]
Announcer
Is that right?
[14:03]
Leo Laporte
I think so. And one of the other issues, I think for anybody who's doing it, security is, you know, the famous expression is it's not possible to prove a negative. It's how do you get credit for your organization not being attacked? How do you demonstrate that? It's because you have the budget that you have for it and the equipment that you have and the staff that you have. Certainly there's profit pressure in any enterprise. And so when the guys who are controlling the purse strings look around for where they can cut, they're like, well, we haven't had any problems with our it. Everything's going great. So let's cut there. And it's like, wait a minute. The reason everything is going great and you haven't had any attacks is that we've been able to keep the defenses up. We've been able to purchase expensive network gear that even though the old stuff was still working, it was now no longer being serviced. And we know that there are probably vulnerabilities there. So it's crucial that we continue to fund this enterprise of keeping the network safe.
[15:26]
Steve Gibson
I suspect that you all know I'm
[15:28]
Leo Laporte
seeing heads nodding out there.
[15:31]
Steve Gibson
Do you think, though, that that's changed a little bit? I mean, for the longest time, there was this incredible pressure on it to do more more with less to be secure. But I think with all these breaches and all the issues that are coming up, do you think organizations are starting to understand? No, no, this is really.
[15:47]
Leo Laporte
I think there's much more traction that's available now for the security side to say, would you like our enterprise's name on the board of Shame of outfits that have been breached.
[16:03]
Steve Gibson
There's that wonderful site. Do you remember what the name of it is?
[16:07]
Leo Laporte
In real time?
[16:08]
Steve Gibson
In real time every day would show you the breaches that have happened today. It was usually a dozen, 20 breaches in a single day.
[16:17]
Leo Laporte
In the morning, not so much, but then in the afternoon,
[16:21]
Steve Gibson
yeah, you don't want to be on that list. And I hope that business leaders are realizing that the best way not to be on that list is to take it seriously.
[16:32]
Announcer
Right.
[16:33]
Leo Laporte
And so when we were thinking about what it was we wanted to say today and came up with the title of this, my sense is, from what you and I have seen over the last couple decades, is that we are getting much better about protecting the perimeter. Not 100% yet. There's still a way to go. One of the issues, I think, is that there is a pain associated with increasing security.
[17:13]
Steve Gibson
One of the.
[17:14]
Leo Laporte
Yes, always there is a security versus convenience versus security trade off. And one of the biggest problems that we see is it would be possible to further increase, for example, perimeter security. I've been saying for a while now on a podcast that authentication doesn't work. I mean, if it did, we wouldn't keep over and over and over seeing serious problems with authentication failing. Cisco just had a 10.0 authentication failure in their SD WAN product, which enterprises use to interlink satellite offices. And as we know, you have to really try hard to get to 10.0.
[18:05]
Steve Gibson
CVE of 10 is hard. That's like Nadia Komanichi.
[18:10]
Leo Laporte
It's easy to do and it's not a low probability attack. You just figure out how to do this.
[18:19]
Steve Gibson
That one in the wire, in the
[18:20]
Leo Laporte
wild, Cut right through. Oh yeah, it's in the wild. The Australian Signals Directorate discovered it and then all of the various security organizations around the world started, you know, screaming about it.
[18:35]
Steve Gibson
At one point it got so bad with breaches that we stopped reporting them.
[18:38]
Leo Laporte
They were boring to our listeners.
[18:40]
Steve Gibson
There was no point. Everybody is. Every day there's another breach. That's not news.
[18:45]
Announcer
No.
[18:46]
Leo Laporte
And so an example of this SD LAN or SD WAN breach is a perfect example where it was an authentication failure, some bug in Cisco's system that was allowing bad guys, and they were in this case Chinese state backed attackers, probably located in China, getting into enterprise networks through this authentication failure. So I asked the question, why could someone in China get a connection? Why do you want people in China trying to connect your SD wan?
[19:30]
Steve Gibson
No.
[19:31]
Leo Laporte
So put a firewall rule in front of it because you know where the entities are that you do Want to have connecting. Everybody else should be locked out.
[19:44]
Steve Gibson
Right.
[19:45]
Leo Laporte
But it's, you know, whoa, what if their IP changes? That would, you know, then we wouldn't be able to connect again. Some lack of convenience in trade for much greater security.
[19:57]
Steve Gibson
You should probably whitelist, not blacklist. Right. You know what IP addresses.
[20:00]
Leo Laporte
Oh yeah, it ought to be, yeah, it ought to be a blanket. You are. No packets come in unless it's from this ip. This ip, this ip.
[20:10]
Steve Gibson
It's that same idea of. Right.
[20:12]
Leo Laporte
Yes, it is authorized.
[20:13]
Steve Gibson
Exactly.
[20:14]
Leo Laporte
And so even though we've gotten way better at securing our perimeter, we could still get a lot. There's still a long ways to go because again, we all understand the notion of multi layered security. Unfortunately, too many people are just assuming that authentication works at the order still today. Yes. Otherwise we wouldn't be seeing these breaches.
[20:43]
Steve Gibson
Right.
[20:44]
Leo Laporte
And so do you think that part
[20:45]
Steve Gibson
of it is, and we talk about this a lot, that there's the impression that, well, it's nation state hackers that have the sophistication to do this. We aren't going to be the target of a nation state hackers. So we're probably okay. People assume their threat model. They don't have to worry about.
[21:03]
Leo Laporte
We are financing North Korea.
[21:07]
Steve Gibson
That's the problem. Right?
[21:08]
Leo Laporte
Yes.
[21:09]
Steve Gibson
Because there is a, there is a motive for that. Because of hard currency.
[21:13]
Announcer
Yep.
[21:13]
Steve Gibson
Yeah. And they. We saw the number a couple of weeks ago.
[21:17]
Leo Laporte
Huge amount of money that is flowing to North Korea because. Because their hackers are good and they're jumping on problems as soon as they occur. And our border defenses are still not what they could be because it is much less convenient to do that. I mean, I guess if I had one thing I would urge everyone to do, it would be to assume that authentication doesn't work. Because that's what we see. We see example after example after example, after. And so if you assume it doesn't work, then take the responsibility of what happens if it fails. Imagine if bad guys could connect to your enterprise vpn, then what? Well, the simplest protection is simple IP address filtering because most enterprises aren't like residential consumers whose IP will change. But even there it doesn't change much. I mean it is, it is my entire defense. I have three nodes, two places I work from and GRC's facility in what used to be a Level 3 data center. But they've been purchased about 12 times since then. So I don't even know what they call them.
[22:45]
Steve Gibson
Who owns them now? No one knows. I don't know.
[22:48]
Leo Laporte
But my IPs don't change. My entire defense is that I have IP address filtering in all three locations so they can only talk to each other. And I have. Yeah, yeah. And within that, of course, I'm authenticating. But you know, I look like just a black hole to the rest of the world because for that simple expedience of using a firewall in front of those three locations.
[23:15]
Steve Gibson
Yeah. You would think they are saying, well, we're going to route it through Africa, so you won't know it's China. But it's funny, I still see all the time on my home network Chinese logins, one after the other, trying to get through the nas or getting. You actually told me, I set up my SSH server, which is now off, so don't get any ideas. And I, and I set it up with port 22 and I thought, well, they can use Shodan or they can find the port, so why use an obscure port? And security through obscurity doesn't work. But you, but you said, no, you should still use. There's. It's. In other words, it's not a silver bullet. There is no silver bullet. But you shouldn't also make it easy for them right there. So when I had put port 22 open and you immediately all these Chinese
[24:03]
Leo Laporte
attacks, if, if your goal was to give everyone a better sense of this, if your goal was to have SSH as a global service, which is a
[24:15]
Steve Gibson
mistake to begin with, then you'd want
[24:18]
Leo Laporte
it to be on Port 22 where the globe would know to look for it.
[24:21]
Steve Gibson
Right.
[24:22]
Leo Laporte
And if you want to want to run a web server that's got to be on 4, 3 or 4, and email's gotta be on 25 and so forth. The only places you should use default ports are where default users who don't know specifically where your service is would go to look. Otherwise, why leave it in on the default port? Yes, it's not gonna protect you from someone who's gonna scan all your ports, but it's trivial to put it somewhere else, so why not?
[24:53]
Steve Gibson
Right.
[24:54]
Leo Laporte
So it just cuts down on opportunistic attack.
[24:57]
Steve Gibson
It's layers. You got to do a lot of things.
[24:59]
Leo Laporte
And I would use them all. Yeah, I mean, just, you know, so many and so that, you know, yes, maybe something's going to be fragile and break occasionally, but again, even though you're not going to get credit for not being attacked, you get to sleep at night.
[25:14]
Steve Gibson
I've learned so much doing this show. We remember we used to talk about Hitachi or Hamachi not Hitachi, Tachi, Hamachi. Which then got sold to log me in and we stopped using that and tailscale and wireguard and all of these techniques. It's one of the reasons I love doing this show, because I learn so much for it. This is kind of a special edition of Security Now. We usually do the show on Tuesdays. We usually spend a couple hours at least talking about attacks, what's happening in the world, the latest security news. Have any of you ever listened to Security Now? Is there just a few of you? Okay, all right. The entire front row has listened to this show. The rest in the back are going, I don't know, it's just. Where's the free dinner? So good. We're doing a special version of this. We're going to pause for a moment because we have a commercial break. Thanks to our great sponsors here at Threat Locker who brought us out for the event and we really appreciate threatlocker and they've been a great sponsor for us and all the way into 2026. We're very happy to have them. We'll come back and when we come back we're going to talk about remediation, what you can do to protect yourself in this kind of new world because, well, we'll talk about what that call coming from inside the house is. It's not a babysitter sitting downstairs and a bad guy upstairs. It's something else. This is Security now. Hey everybody.
[26:36]
Announcer
This special episode of Security now is brought to you by guess who? Threat Locker. We're here right now at Zero Trust World where threatlocker is hosting some of the brightest cybersecurity experts for the sixth year in a row. I gotta tell you, this is a great conference. Zero Trust World provides crucial education and training to support IT professionals along with full session access, hands on hacking labs, meals and after party. Even the opportunity to take the Cyber Hero certification exam. Be sure to check out this exciting interactive three day event that happens every year to get hands on cybersecurity training, expert insights and more. You know, ThreatLocker's Zero Trust platform takes the proactive deny by default approach you want, that's the key. Deny by default blocks every unauthorized action. Unless you explicitly permit it, it doesn't happen. And that protects you from both known and unknown threats. ThreatLocker's innovative ring fencing constrains tools and remote management utilities so attackers just can't weaponize them. They don't get lateral movement, they can't do that mass encryption ransomware thing. Threat Locker works in Every, They've got great 24. 7 US based support. They work on Windows, they work on Macs, in every environment. And with Threat Locker you get comprehensive visibility and control. Just ask Emirates Flight Catering, a global leader in the food industry. 13,000 employees and happy Threat Locker customers. ThreatLocker gave them full control of apps and endpoints, improved compliance and delivered seamless security with strong IT support. The CISO of Emirates Flight Catering said this quote, the capabilities, the support and the best part of ThreatLocker is how easily it integrates with almost any solution. Other tools take time to integrate, but with Threat Locker, it's seamless. That's one of the key reasons we use it. It's incredibly helpful to me as a ciso. Threat Locker is used by enterprises and infrastructure companies that just can't go down, not even for a minute. Companies like JetBlue, the AVA's Threat Locker, Heathrow Airport, the Indianapolis Coats, the PO of Vancouver, they all use Threat Locker. Threat Locker consistently receives high honors and industry recognition there. G2 high performer and best support for enterprise summer 2025. Their peer spot ranked number one in application control. They got GetApp's best functionality and features award in 2025. Visit threatlocker.comtwit to get a free 30 day trial and learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. That's ThreatLocker and we'll see you next year, please, at Zero Trust World. Now back to the show.
[29:22]
Steve Gibson
This is Security now. We're coming to you from Orlando, Florida. We're here at the Threat Locker Zero Trust World conference. We thank Threat Locker for bringing us here. Steve Gibson and Leo Laporte and a really nice crowd. They're about, I think they told me they're 19, 1800, 1900 people here learning about security. I did a hacking lab earlier. I didn't realize this, Steve. They have. I just asked heather something like 900 laptops for these labs. You haven't gone into one of the labs. If you've done the labs right, it's really cool. I want to do the Metasploit one. It was jammed, there was nowhere to get in. But they have laptops for everybody. They can come in, they can sit down and do these hands on robots workshops, which is really, really cool. I learned how to hack the web today. It was fun. So that's really cool. And there have been some wonderful speakers. So we're really pleased we could be here. I hope we can do this again next year and I hope we'll See you all again next year. So let's talk about. Given that the world has changed, incentives have changed, the means have changed, the motives are clear. Clear. Where is the biggest threat right now?
[30:37]
Leo Laporte
So we've, we pretty much covered keeping the bad guys out at the network level. Authentication cannot be relied on. Packet filtering is so dead simple that I can't, you know that if there's any way it can be used, it should be used.
[30:56]
Steve Gibson
I run fail band so if people try to log in too many times, just boots that.
[31:00]
Leo Laporte
Yeah, just, I mean just assume that authentication is a weakness and engineer yourself so that you're not worried about that. So the thing that we've been seeing in the last couple years is a. Because I think in general things are getting better in terms of the secure perimeter is the bad guys going around the perimeter. The shiny lapses hunters group.
[31:34]
Steve Gibson
That's social engineering.
[31:35]
Leo Laporte
Primarily the social engineering.
[31:38]
Steve Gibson
We talked last week. They're trying to hire women.
[31:40]
Leo Laporte
They are hiring women and paying them a lot of money. 500 to $1,000 up front to place social engineering calls, calls with a woman's voice. Under the logic that will be more
[31:55]
Steve Gibson
convincing, the customer service rep is going to say, oh, you poor lady. We were talking last week about, I remember there was a hack where a woman called my husband's out of town and she had a recording of a baby crying in the background. And it's all to get the customer service rep whose job is customer service to do the sim jack to make a mistake, to swap the sims to make a mistake, to make a mistake. They're very good. Shiny Lapsis hunters is pretty amazing what they can.
[32:25]
Leo Laporte
And you had an instance in the last couple months.
[32:29]
Steve Gibson
Don't have to talk about that.
[32:32]
Leo Laporte
And I did.
[32:34]
Steve Gibson
Where
[32:37]
Leo Laporte
I didn't click the link.
[32:38]
Steve Gibson
I did, but
[32:42]
Leo Laporte
was like it was
[32:44]
Steve Gibson
reasonable looking, you know. Jeff Jarvis just did the same, texted me this morning. He got a text from AT&T and he clicked it. You know, I was offered free headphones. I thought, well that's a good deal. And I started to go through the process till I realized that it was a website in the Philippines and I was trying to give them my credit card number. So. And we're presumably relatively sophisticated. We're aware the problem is they get you at a weak point. I'd been getting a lot of text messages from my carrier.
[33:17]
Leo Laporte
You're late for lunch. And so you just think, okay, I
[33:19]
Steve Gibson
hadn't had my coffee. That was my excuse.
[33:21]
Leo Laporte
Yeah. So I think that this, to my way of thinking, that's the next frontier for enterprise security.
[33:33]
Steve Gibson
The call is your employees. Let's be frank, right?
[33:38]
Leo Laporte
The reason a personal computer is so much fun, the reason we all got our own PCs, is we could do anything with it we wanted.
[33:47]
Steve Gibson
It's a general purpose device.
[33:48]
Leo Laporte
There were no constraints. You could download software, run it, do whatever you wanted to do. That model doesn't work inside the enterprise. I mean, and the reason I think it's like the final frontier, it's also the biggest problem.
[34:08]
Steve Gibson
Well, your users have personal computers at home.
[34:10]
Leo Laporte
They know the way it's supposed to be. They want freedom, but they can't be trusted with that freedom. And again, you and I couldn't be because we almost clicked the link. I mean, so it's not about who they are or lack of, of training. It's that there is tremendous pressure created by the opportunity to extort, which there wasn't historically, but there is now, thanks to cryptocurrency. So there is pressure and that's, I mean, I don't want to have anyone come away undervaluing the importance of that. You know, your boss says, well, who would want to attack us? Who would want to, you know, you know, we don't have anything.
[34:58]
Steve Gibson
You do. You do.
[35:00]
Leo Laporte
You have extortability, right? And so this tremendous pressure is motivating endless cleverness.
[35:13]
Steve Gibson
You know what scares me? We get these emails all the time. We unfortunately, I think we're going to change this. Have a easily guessable email address for our accounting department. Somebody said, oh, and so we get literally, you know, several emails a day, right, Lisa, saying, you know, your bill is due. And now we're a small enough company so that our accounting people know enough not to do that. But if you have a large company with a big accounting department, a lot of invoices coming in. That terrifies me. That would be so easy. Just buy, you know, just say, oh yeah, well, let's pay that invoice. How do you control that? That's really problematic. That
[36:03]
Leo Laporte
I think that what this next frontier of security that is to deal with the call that's coming from inside the house, it's necessary to unfortunately reconceptualize the internal networking architecture. You need to assume, not that you have an evil made, as it's called, an evil.
[36:30]
Steve Gibson
We're going to change that.
[36:31]
Announcer
By the way.
[36:33]
Leo Laporte
An evil.
[36:34]
Steve Gibson
An evil butler. How about that?
[36:37]
Leo Laporte
Or evil janitor or something. No, it's not a bad employee. It's somebody who a social engineering hack tricked.
[36:50]
Steve Gibson
And they're really good now they've Gotten better, these engineers.
[36:53]
Leo Laporte
Yes. And they're going to keep getting better. Again, don't underestimate the pressure to get inside. And so, you know, anyone who's listened to security now has heard me talk about the model I have of security as being porous, where it's not as open as a sponge, but more like some porous stone, where if you have sufficient pressure, you can get some leakage through. So you have security, you have a wall, but it isn't perfect.
[37:30]
Steve Gibson
But nothing is perfect.
[37:33]
Leo Laporte
And this is the problem, is that it only takes one mistake from one employee, one time, who allows something onto their machine.
[37:43]
Steve Gibson
The bad guys have to be perfect. The bad guys only need to succeed once.
[37:48]
Leo Laporte
So in the same way that I would urge people from the outside looking in to assume that authentication doesn't work, you cannot rely on authentication. The sad reality is you cannot rely on your employees not making a mistake. Making a mistake is human.
[38:13]
Announcer
Right.
[38:14]
Leo Laporte
And so, and you. And you can give them training and you can be testing them. And we know that we have sponsors of the podcast that specialize in doing exactly that.
[38:24]
Steve Gibson
There's people on the show floor doing that. This, all of this training.
[38:27]
Leo Laporte
Yes. Raising, you know, maintaining on a level, a heightened level of. Of anxiety, essentially, right about. About like that. Individually, they're under attack.
[38:39]
Steve Gibson
You're not saying, don't do that. It's just insufficient.
[38:41]
Leo Laporte
No, I'm saying you need that. Yes, it is insufficient because mistakes can still happen. And so the easy way of setting up an organization's network is to have a big switch and plug everybody in, and we're one big happy family.
[38:59]
Steve Gibson
And if you're inside the network, you're good.
[39:02]
Leo Laporte
Exactly. And the problem is you are then maximally vulnerable in that scenario.
[39:08]
Steve Gibson
So
[39:11]
Leo Laporte
a powerful technique, and I saw it mentioned in some of the notes for this conference, a powerful technique is whitelisting apps. It's also really painful because nothing that's not whitelisted will work, and it's going to upset people.
[39:31]
Steve Gibson
Do you ban all shadow it? Do you ban. You say you can't use outside apps. You can't.
[39:38]
Leo Laporte
I think you have to. You know, I heard you just the other day giving the example of the employee who gets their laptop infected at home and then brings it into the enterprise.
[39:48]
Steve Gibson
It happened to the nsa, for crying out loud. If it can happen to the nsa, it could happen to anybody.
[39:53]
Leo Laporte
Yeah. So the, The final weakness, I think the call that's coming from inside the house is not somebody who's maliciously attempting to do something, but somebody who Makes a mistake, who allows something bad to get into their machine? And now their machine has more access than it should have. That's where I'm going with this. Is that in the same way that if authentication isn't perfect, then you've got IP filtering to back it up so they not even have a chance to authenticate because they're coming from an untrusted location on the world where only three are trusted. The others, you know, everything else isn't.
[40:48]
Steve Gibson
This is zero trust.
[40:50]
Leo Laporte
That's the whole idea, zero trust.
[40:52]
Steve Gibson
Yeah.
[40:52]
Leo Laporte
And so it's.
[40:54]
Announcer
You used to call it Trust no.
[40:56]
Steve Gibson
1. You coined that phrase P and O.
[40:57]
Leo Laporte
Well, I got it from Mulder on X Files.
[41:00]
Steve Gibson
Okay, yeah, that was in a different context. I think there were aliens involved. But it's the same idea.
[41:07]
Leo Laporte
So you have to then say, okay, if something bad gets into this employee's machine, what could it do? What access does the machine have? And I would argue that in this day and age, still today, too many endpoints in the enterprise have too much privilege. We all understand the concept of least privilege, but it is so difficult to actually implement.
[41:41]
Steve Gibson
Well, try telling the CEO that he can't serve tanks he wants.
[41:46]
Leo Laporte
Right, Sorry. Because he could make a mistake.
[41:52]
Steve Gibson
Well, he will make a mistake. He probably more likely than anybody to make a mistake. I hope this message though, is getting through to business leaders, to CEOs. They understand that. Yeah, we're locking you down for a good reason.
[42:08]
Leo Laporte
Well, and arranging to send them a spoofed email that they fall for. That's one way would be like to say, well, look, it did happen to you. Yeah, so, so, so the, the, the point being, ask yourself what happens if any endpoint in the enterprise is malicious? Does it have too much privilege? And I understand the pain. I mean, just the additional overhead associated with really implementing a least privilege policy on an endpoint by endpoint, node by node basis. It's not the default. It's not easy. As I said, the easiest thing to do is to get a switch and plug everybody in. You need to segment, you need to think in terms of departmental level access. But what we always see is the bad guys get in somewhere and then they lateral movement. Lateral movement within the network.
[43:19]
Steve Gibson
We were talking the other day about a hack that somebody had set up 90% zero trust. But there was a security camera that had just enough RAM and just enough processor to run an encryption routine, a malware routine. So they used that. That was the one thing that wasn't protected. Yeah. It seems like, though, if you really Implement True zero trust. That would be easier in the long run. The hard thing is the social thing is explaining to your users that you super glued their US USB ports.
[43:53]
Announcer
It's not. It's not easy.
[43:56]
Steve Gibson
Yeah.
[43:57]
Leo Laporte
Or that, you know, if you want to log in, you have to go. You have to jump through some hoops in order to do.
[44:05]
Steve Gibson
You have to.
[44:06]
Leo Laporte
You have to continually internally re authenticate. Prove that.
[44:12]
Steve Gibson
Oh God, we hate that though. Yes. You know, I'm sitting at breakfast. Google's making me log in again. But that's why.
[44:21]
Announcer
Right.
[44:21]
Steve Gibson
That's what you have to do right now. You worked on sqrl. You had an idea for a good authentication method that did not require a password is passkeys. That's part of it. Right. Making it easy and still secure. Is it possible to have both?
[44:41]
Leo Laporte
It seems to me that what we're going to, where we're going to end up being is pervasive biometrics within the Enterprise Iris or fingerprint or a thumbprint
[44:55]
Steve Gibson
on your keyboard or on your level three facility. Your COLO had that. Right. You had to do a hand print.
[45:01]
Leo Laporte
Yeah, I had a hand geometry reader in order to get in.
[45:06]
Steve Gibson
Yeah.
[45:07]
Leo Laporte
So the way I think this story ends is that in order to do anything, the user needs to continuously re. Authenticate. And I don't mean anything, but I mean like certainly you need to create security perimeters and think this through. A lot of thought will have to be put into this. But it will be necessary for the person to constantly prove that, you know, they are them doing this.
[45:41]
Steve Gibson
But that's why passwordless is a step
[45:43]
Leo Laporte
forward and that's why biometrics and biometrics. I think because if people are going to get very used to putting their
[45:50]
Steve Gibson
thumb on something, it's not so hard.
[45:52]
Leo Laporte
No, exactly. And that's where you trade off.
[45:55]
Steve Gibson
Yeah. The face recognition, it's a little easier and it's as secure.
[46:02]
Leo Laporte
It's necessary because I think you need to have it demonstrated that this is an internal entity. An employee in the organization who wants to do.
[46:17]
Steve Gibson
They should feel good about it because this is what we have to do
[46:21]
Leo Laporte
and we made it easy for them. Just put your thumb on the keyboard in order to do it.
[46:25]
Steve Gibson
We only have five minutes left. What about. I mean one thing that's really changed the landscape in so many ways is AI.
[46:36]
Leo Laporte
We're so early in AI that I don't think we yet could guess what's going to happen.
[46:43]
Steve Gibson
I think that's a fair bet. Yeah.
[46:45]
Leo Laporte
I got a piece of feedback actually from One of our listeners last week. That, and I'll probably mention it in our next podcast. It was an application of AI for watching. So it ran locally on their machine, and its job was to keep them out of trouble. And I think that's brilliant.
[47:08]
Steve Gibson
Good idea.
[47:09]
Leo Laporte
I think it's brilliant. You and I could use an AI looking over our shoulder.
[47:14]
Steve Gibson
Click that link.
[47:16]
Leo Laporte
Exactly.
[47:17]
Steve Gibson
Because that sounds a little bit like the Nanny UAC Windows UAC kind of. People really resent that, except way more.
[47:26]
Leo Laporte
Way more intelligent.
[47:27]
Steve Gibson
So we're not talking Clippy.
[47:28]
Leo Laporte
Do we remember every time to look at the far right end of the URL to see what the TLD is?
[47:35]
Steve Gibson
We'd look at it mostly, but AI would always look.
[47:37]
Leo Laporte
It would always look and it would see what the URL underneath the link that we're about to click and Neuter are clicking it. You know, we whoops, wait. And then up, up comes the dialogue saying, wait a minute, you know, no, what you think you're clicking doesn't correspond to what this email is about. So I, you know, none of us want. Well, most of us don't want recall, you know, like, you know, recording everything we do with our machine recall.
[48:04]
Steve Gibson
It's funny because it was simultaneously too much and too little.
[48:07]
Leo Laporte
Right?
[48:07]
Steve Gibson
So it didn't. It didn't go far enough, and it went way too far.
[48:11]
Leo Laporte
But I love the idea
[48:16]
Steve Gibson
where the
[48:17]
Leo Laporte
way the world has evolved with the external pressures creating an economic incentive for bad guys to breach our security and suborn an employee without their knowledge,
[48:35]
Steve Gibson
thus
[48:36]
Leo Laporte
tricking them into making a mistake. Having a local AI which is looking over their shoulder all the time, it's not leaking information. It's not in the cloud. You don't have to worry about it from a privacy and security standpoint. Watching what they do, keeping them from pasting something on their clipboard into the run dialogue and hitting enter, because they don't really. They're following instructions. They don't know that's bad. And it says, whoops, hold on a second.
[49:10]
Steve Gibson
All the Frontier models are now starting to add security modules to it. And I think, you know, at first, I think people were a little nervous about this idea, thinking, well, even with vibe coding, that the AI may make security mistakes. And maybe early on it was. But. But you can also, I think you can train AIs not to do buffer overflows, not to use strcopy when it could use string copy. It can look at the patterns that are of common mistakes and prevent you from doing those. Right.
[49:43]
Leo Laporte
My feeling is we're Also at the early stages of.
[49:48]
Steve Gibson
It's not perfect yet.
[49:49]
Leo Laporte
AI coding.
[49:50]
Steve Gibson
Yeah.
[49:51]
Leo Laporte
Anytime you take a deep general AI and say, write some code, that's a bad idea. You're not doing nearly as good a job as when you have a specific coding AI that you, you know, gave birth to from scratch for that purpose. That's it. That's really going to be something. We haven't seen that yet.
[50:08]
Steve Gibson
Yeah, we're getting there. Yeah, it's pretty amazing.
[50:11]
Leo Laporte
Oh, we got a long way. We're, we're at the 1% point, really. I mean, we're, we're, you know, if anyone were to ask two years ago, would we be where we are today with AI, we would not have predicted this.
[50:27]
Steve Gibson
And two years hence, who knows?
[50:29]
Leo Laporte
No, there's just no way to know.
[50:30]
Steve Gibson
Yeah. This is why old guys like us are still excited about doing what we
[50:35]
Leo Laporte
do, because keep an eye out for agents that keep your employees from making mistakes. I think that's going to be a serious work.
[50:47]
Steve Gibson
Yeah, I like that idea. I hope you all will subscribe to Security Now. You'll find it on our website, Twitt tv, sn, or in your favorite podcast app. We do it every Tuesday. Steve is a national, international treasure. We're very glad that he decided to keep doing it. For a while, he was making noises about stopping at his 999th episode. But we're now at 1068. So that, that's the good news. Let's hope for another thousand. Thank you so much. We really appreciate it. I thank you, Steve. And we're going to go to the cocktail party and if you want to get a selfie with Steve, we'll be there.
[51:25]
Leo Laporte
Or with Leo.
[51:26]
Steve Gibson
Well, I'll be behind him on the devil horns. Thank you so much. We really want to thank Threat Locker, our sponsors for this show. Sponsors for the conference. I think they do an amazing job and we're really happy to be partnered with them. I hope you have a great conference. See you later. Security.
[51:49]
Event Host
Now,
[51:55]
Steve Gibson
If you're a maintenance supervisor at a manufacturing facility and your machinery isn't working right, Grainger knows you need to understand what's wrong as soon as possible. So when a conveyor motor falters, Grainger offers diagnostic tools like calibration kits and multimeters to help you identify and fix the problem. With Grainger, you can be confident you have everything you need to keep your facility running smoothly. Call 1-800-GRAINGER clickgrainger.com or just stop by Grainger for the ones who get it done.