Podcasts about fido2

Strengthen your security posture in Microsoft Entra by following prioritized Secure Score recommendations. Enforce MFA, block legacy authentication, and apply risk-based Conditional Access policies to reduce exposure from stale accounts and weak authentication methods. Use built-in tools for user, group, and device administration to detect and clean up identity sprawl—like unused credentials, inactive accounts, and expired apps—before they become vulnerabilities. Jeremy Chapman, Microsoft 365 Director, shares steps to clean up your directory, strengthen authentication, and improve overall identity security. ► QUICK LINKS:  00:00 - Microsoft Entra optimization 00:54 - New Recommendations tab 02:11 - Enforce multifactor authentication 03:21 - Block legacy authentication protocols 03:58 - Apply risk-based Conditional Access 04:44 - Identity sprawl 05:46 - Fix account sprawl 08:06 - Microsoft 365 group sprawl 09:36 - Devices 10:33 - Wrap up ► Link References Watch part one of our Microsoft Entra Beginner's Tutorial series at https://aka.ms/EntraBeginnerMechanics Check out https://aka.ms/MicrosoftEntraRecommendations ► Unfamiliar with Microsoft Mechanics? As Microsoft's official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft. • Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries • Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog • Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast ► Keep getting this insider knowledge, join us on social: • Follow us on Twitter: https://twitter.com/MSFTMechanics • Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/ • Enjoy us on Instagram: https://www.instagram.com/msftmechanics/ • Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics  

With phishing and password breaches on the rise, passkeys could offer a more secure, user-friendly solution that could reshape how we protect our online identities. Today's guest is Christiaan Brand. Christiaan is the co-founder of Entersekt, a financial services security firm and a key player at Google in their security and identity teams.  A respected voice in cybersecurity, Christian co-chairs the FIDO2 technical working group focusing on standardizing robust online security protocols in advancing the use of passkeys. He has been at the forefront of the shift toward more secure, password-free systems. We'll hear his insights on the challenges and opportunities of implementing passkeys to create safer online environments for users and organizations. Show Notes: [00:52] - Christiaan is part of the security team for Google accounts. He's been with Google for 9 years. Prior to that he had a startup. [01:30] - He joined the FIDO Alliance around the same time Google joined in 2013. When he joined Google, he was able to continue with the same type of work. [02:35] - Each of the big tech companies represents a portion of the market when it comes to how we interact with the web and apps. [04:06] - He became interested in security when he started thinking about what could go wrong with new technology solutions. He wanted users to be able to access their financial information in a safe and secure way. [05:06] - 2FA began gaining traction with Google in 2011. It coincided with the launch of Google Authenticator. 2FA was also used by a gaming company. [07:54] - Usability is important, that's why having an app that displays the codes was one of the first forays into making the technology more accessible. [08:34] - Passkeys allow us to move beyond passwords, leaving the extra hassle of traditional multi-factor authentication behind. [11:05] - Key fobs were one of the earlier ways to try and bring usability to security. Now the technology is being moved to smartphones. [12:33] - Passkeys are a replacement for a password manager. [13:35] - Passkeys are extremely long and asymmetric in nature. You and the site you're going to both have the passkey. [14:27] - The service will have the public part of the passkey, and you'll have the private part. Even if the public part leaks out, your passkey will still be secure. Passkeys can never be revealed to phishing sites. [15:47] - FIDO brings the second authentication step in. The service also has to identify themselves. [20:04] - Password managers try to balance security and convenience. Logging in or accessing a passkey is a unique challenge for providers. [22:20] - Phone numbers are a way to get users back into their accounts. [25:19] - Single device users have extra challenges. [26:08] - There are pros and cons to external sources of identity. [29:44] - The FIDO website has many certified solutions. [33:21] - To get passkeys into daily users' lives, we need to start using them on daily applications where we log in frequently. [35:49] - Hopefully this passkey solution will stand the test of time. [37:34] - Attacks are beginning to shift to session hijacking. [38:24] - DBSC or device-based session credentials is a new standard parallel to FIDO. Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.  Links and Resources: Podcast Web Page Facebook Page whatismyipaddress.com Easy Prey on Instagram Easy Prey on Twitter Easy Prey on LinkedIn Easy Prey on YouTube Easy Prey on Pinterest Entersekt Christiaan Brand on LinkedIn Christiaan Brand on Twitter Christiaan Brand on Facebook FIDO2 Technical Working Group Learn More About Passkeys Passkeys.Dev FIDO Alliance Passkeys

¿Son los passkeys la solución definitiva para reemplazar contraseñas? Descubre sus ventajas, desafíos y futuro  Por Félix Riaño @Locutorco ¿Estamos listos para decir adiós a las contraseñas? Los passkeys, una tecnología basada en biometría y criptografía, prometen reemplazar las contraseñas tradicionales con un método más seguro y fácil de usar. Flash Diario en SpotifyEstas claves digitales son únicas para cada cuenta y no pueden ser robadas ni replicadas, lo que las convierte en una alternativa ideal frente a los crecientes ataques de phishing y las brechas de datos. Sin embargo, su implementación enfrenta retos: desde falta de compatibilidad entre dispositivos hasta confusos procesos de configuración. Con empresas como Apple, Google y Microsoft impulsando su adopción, ¿es posible que los passkeys revolucionen la seguridad en línea? Analicemos más a fondo.  ¿Elegancia o confusión digital?  Los passkeys se diseñaron como la evolución natural de las contraseñas, ofreciendo una solución resistente a ataques comunes como el phishing. En lugar de memorizar cadenas de caracteres, los usuarios autentican su identidad mediante biometría o un PIN en su dispositivo. Esta clave privada nunca abandona el equipo, mientras que la clave pública se guarda en el servidor. Aunque el concepto parece ideal, su adopción masiva ha revelado problemas inesperados, incluyendo su complejidad y dependencia de ecosistemas tecnológicos específicos.  El principal obstáculo de los passkeys es su falta de interoperabilidad. Empresas como Apple, Google y Microsoft han implementado soluciones, pero estas suelen estar encerradas en sus ecosistemas. Esto significa que un passkey creado en un dispositivo Apple no funciona automáticamente en uno Android o Windows, lo que frustra a los usuarios con configuraciones mixtas. Además, las interfaces confusas y la dependencia de administradores de contraseñas complican su uso. Incluso los expertos en seguridad critican que, en la mayoría de los casos, las contraseñas siguen siendo necesarias como respaldo, lo que anula parte de las ventajas de los passkeys.  A pesar de estos desafíos, la industria muestra un compromiso sólido con los passkeys. Grandes empresas como Amazon, PayPal y LinkedIn ya los soportan, y el estándar FIDO2 busca fomentar su adopción. Los administradores de contraseñas, como 1Password, también han integrado esta tecnología, permitiendo sincronizar claves entre dispositivos. Aunque aún no estamos listos para despedirnos de las contraseñas, los passkeys representan un paso importante hacia una seguridad más robusta y fácil de usar.  Microsoft anunció recientemente que Windows 11 integrará passkeys de terceros, ampliando su accesibilidad. Mientras tanto, iniciativas como la FIDO Alliance trabajan para mejorar la compatibilidad entre dispositivos y reducir las barreras para los usuarios. A medida que más servicios adopten esta tecnología, es posible que los passkeys se conviertan en el estándar de autenticación.  ¿Quieres entender más sobre tecnología y cómo afecta nuestra vida? Escucha El Siglo 21 es Hoy: ElSiglo21esHoy.com.  

In this episode, Michael, Sarah, and Mark talk to Merill Fernando about a set of open source tools he and his team have developed to help people understand their Azure and Entra ID security postures.We also cover news about Fabric, TLS 1.o and 1,1 retirement, Microsoft Ignite, FIDO2, Confidential Containers and Red Hat OpenShift and various Zero Trust news.https://aka.ms/azsecpod

We reveal how we turned our humble LAN into a public server farm, all while keeping our IP address under wraps and our ISP blissfully unaware.Sponsored By:Core Contributor Membership: Take $1 a month of your membership for a lifetime!Tailscale: Tailscale is a programmable networking software that is private and secure by default - get it free on up to 100 devices! 1Password Extended Access Management: 1Password Extended Access Management is a device trust solution for companies with Okta, and they ensure that if a device isn't trusted and secure, it can't log into your cloud apps. Support LINUX UnpluggedLinks:

In this episode of the podcast, Dave Sobel discusses key developments in the tech industry. He highlights a study revealing the risks associated with improper off-boarding in businesses, emphasizing the importance of automating SaaS security to mitigate potential data breaches and insider threats. The podcast also covers the increasing adoption of AI-led security services by managed service providers and the identification of risky connected devices across various industries.The episode delves into the regulatory challenges faced by Apple in the EU, particularly related to the Digital Markets Act, which could impact the availability of upcoming features in the region. Additionally, the podcast touches on how frustrated users are turning to small claims court to address customer support issues with Meta, showcasing a growing trend of seeking legal recourse for tech companies' shortcomings in customer service.Sobel discusses the U.S. government's lawsuit against Adobe for alleged deceptive practices in subscription services, shedding light on the regulatory scrutiny faced by tech companies. The episode also explores initiatives by organizations like the National Institute of Standards and Technology and the Cybersecurity and Infrastructure Security Agency to enhance data security and collaboration in the cybersecurity space, emphasizing the importance of zero-trust architectures and incident response coordination.The podcast concludes by highlighting the introduction of automated remediation capabilities for Google Workspace by SAS Alerts and the implementation of FIDO2 passkeys by Amazon Web Services for enhanced account security. Dave Sobel underscores the significance of investing in SaaS security and adopting multi-factor authentication measures to mitigate cybersecurity risks in the evolving tech landscape.Four things to know today 00:00 Study Reveals 63% of Businesses at Risk from Improper Offboarding: Automation in SaaS Security Essential03:58 Apple Faces EU Regulatory Hurdles with New AI Features and App Store Policies Under DMA 07:10 NIST, FCC, and CISA Lead Regulatory and Security Initiatives to Strengthen Cybersecurity and Digital Identity10:22 SaaS Alerts Enhances MSP Capabilities with Automated Remediation for Google Workspace Security   Supported byhttps://www.coreview.com/msphttp://skykick.com/mspradio/  All our Sponsors:   https://businessof.tech/sponsors/   Looking for a link from the stories? The entire script of the show, with links to articles, are posted in each story on https://www.businessof.tech/ Do you want the show on your podcast app or the written versions of the stories? Subscribe to the Business of Tech: https://www.businessof.tech/subscribe/ Support the show on Patreon: https://patreon.com/mspradio/ Want our stuff? Cool Merch? Wear “Why Do We Care?” - Visit https://mspradio.myspreadshop.com Follow us on:LinkedIn: https://www.linkedin.com/company/28908079/YouTube: https://youtube.com/mspradio/Facebook: https://www.facebook.com/mspradionews/Instagram: https://www.instagram.com/mspradio/TikTok: https://www.tiktok.com/@businessoftechBluesky: https://bsky.app/profile/businessoftech.bsky.social

In today's episode, we explore recent major cybersecurity upgrades aimed at safeguarding the American healthcare system, including a new initiative by Microsoft to provide critical cybersecurity resources to rural hospitals. Additionally, we delve into the Ticketmaster-Snowflake data breach perpetrated by ShinyHunters, targeting 560 million users and exposing key vulnerabilities in cloud environments. Lastly, we cover AWS's new and improved security features announced at the re:Inforce conference, which include added multi-factor authentication options, expanded malware protection for Amazon S3, and updated AI apps governance. Read more at: https://www.helpnetsecurity.com/2024/06/12/american-healthcare-cybersecurity/ https://thehackernews.com/2024/06/lessons-from-ticketmaster-snowflake.html https://www.helpnetsecurity.com/2024/06/12/aws-security-features/ Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ Tags Microsoft, Cyberattacks, Healthcare systems, Rural hospitals, ShinyHunters, Breach, Data, Cybersecurity, AWS, FIDO2 passkeys, Malware protection, Cloud environment Search Phrases How Microsoft is protecting rural hospitals from cyberattacks Cybersecurity initiatives for rural healthcare by Microsoft ShinyHunters data breach impact on cloud security Essential measures to prevent cyberattacks in cloud environments Latest AWS security features from re:Inforce conference How FIDO2 passkeys enhance cloud environment security Updated malware protection for AWS S3 buckets Microsoft and Biden-Harris Administration cybersecurity efforts Impact of ShinyHunters breach on data security practices Advanced multi-factor authentication in AWS cloud environments Major cybersecurity upgrades announced to safeguard American healthcare https://www.helpnetsecurity.com/2024/06/12/american-healthcare-cybersecurity/ Rising Threats: Cyberattacks on American healthcare systems soared 128% from 2022 to 2023, leading to significant disruptions in hospital operations and payment systems. Actionable Insight: Healthcare professionals should stay vigilant and ensure their organizations have updated cybersecurity measures to mitigate risks. Impact of Recent Attacks: In early 2024, a major cyberattack affected one-third of healthcare claims in the U.S., delaying payments and services. Critical Implication: Entry to mid-level cybersecurity professionals should focus on protecting payment systems and ensuring quick recovery plans are in place. Government Initiatives: The Biden-Harris Administration launched several initiatives to bolster healthcare cybersecurity, including a new gateway website and voluntary performance goals. Actionable Insight: Healthcare institutions should leverage these resources to enhance their cybersecurity posture. Collaboration for Solutions: In May 2024, the White House gathered industry leaders to discuss cybersecurity challenges and promote secure-by-design solutions. Engagement Suggestion: Ask listeners how their organizations collaborate with other entities to share threat intelligence and improve security. ARPA-H UPGRADE Program: The Advanced Research Projects Agency for Health introduced the UPGRADE program, investing over $50 million in tools to defend hospital IT environments. Actionable Insight: IT teams should explore participation in this program to access cutting-edge cybersecurity tools and support. Rural Hospital Support: Cyber disruptions severely impact rural hospitals. Leading tech companies, including Microsoft and Google, committed to providing free or discounted cybersecurity resources to these institutions. Critical Implication: Rural hospital IT staff should take advantage of these offers to strengthen their defenses against cyberattacks. Microsoft's Cybersecurity Program: Microsoft announced a program offering up to 75% discounts on security products, free cybersecurity assessments, and training for rural hospitals. Actionable Insight: Rural healthcare providers should engage with Microsoft's program to improve their cybersecurity measures and resilience. Google's Contributions: Google will offer endpoint security advice and discounted communication tools to rural hospitals, along with a pilot program to tailor security solutions to their needs. Engagement Suggestion: Prompt listeners to consider what specific cybersecurity challenges their rural hospitals face and how these new initiatives could assist them. Continued Efforts: The White House and industry leaders emphasize the importance of private-public partnerships to ensure the security and functionality of healthcare systems nationwide. Efficiency Tip: Cybersecurity professionals should stay informed about these partnerships and actively participate to benefit from shared knowledge and resources. Lessons from the Ticketmaster-Snowflake Breach https://thehackernews.com/2024/06/lessons-from-ticketmaster-snowflake.html ShinyHunters Breach: Last week, hacker group ShinyHunters allegedly stole 1.3 terabytes of data from 560 million Ticketmaster users. The breach could expose massive amounts of personal data and has sparked significant concern. Listener Question: How can we ensure our data is safe with such large-scale breaches happening? Actionable Insight: Regularly update passwords and enable multi-factor authentication (MFA) on all accounts. Live Nation Confirms Breach: Live Nation confirmed the breach in an SEC filing, stating unauthorized activity occurred in a third-party cloud database. An investigation is ongoing, and law enforcement is involved. Listener Question: What steps should companies take immediately after discovering a breach? Actionable Insight: Initiate a comprehensive investigation, notify affected parties, and work with law enforcement. Santander Also Affected: ShinyHunters claim to have data from Santander, affecting millions of customers and employees in Chile, Spain, and Uruguay. The breach involved a third-party provider. Listener Question: Should we be worried about third-party services? Actionable Insight: Ensure third-party services adhere to stringent security protocols and regularly review their security measures. Snowflake Connection: Both Ticketmaster and Santander used Snowflake for their cloud databases. Snowflake warned of increased cyber threats targeting customer accounts, urging users to review logs for unusual activity. Listener Question: What can companies do to safeguard their cloud data? Actionable Insight: Enforce MFA, set network policies to limit access, and regularly rotate credentials. Snowflake's Response: Snowflake's CISO clarified their system wasn't breached; single-factor authentication vulnerabilities were exploited. They recommend MFA and network policy rules for enhanced security. Mitiga's Research: Mitiga found the attacks exploited environments without two-factor authentication, primarily using commercial VPN IPs to execute attacks. Listener Question: How can we protect against these types of attacks? Actionable Insight: Implement and enforce MFA, utilize corporate SSO, and regularly monitor for unusual login activity. Cloud Security Challenges: Modern cloud environments limit some security controls. Ensure platforms offer APIs for privileged identity management and integrate with corporate security. Listener Question: What should we look for in a cloud service provider? Actionable Insight: Choose providers that support MFA, SSO, password rotation, and centralized logging. Non-Human Identities: Protecting non-human identities like service accounts is challenging but necessary. Snowflake provides guidance on securing these accounts. Listener Question: How do we secure non-human identities? Actionable Insight: Use strong, unique passwords and rotate credentials frequently for service accounts. Cost of Cyber Attacks: Cybercriminals aim to maximize profit through mass, automated attacks like credential stuffing. Simple security measures can make these attacks less feasible. Listener Question: What simple measures can we take to protect against cyber attacks? Actionable Insight: Implement SSO, MFA, and regular password rotation to increase the cost and complexity for attackers. Remember, these insights are not just theoretical—they can help you strengthen your organization's security posture today!` AWS unveils new and improved security features https://www.helpnetsecurity.com/2024/06/12/aws-security-features/ Key Information and Actionable Insights Multi-Factor Authentication (MFA) Upgrades: New Option: AWS introduces support for FIDO2 passkeys as an additional MFA method. Security Assurance: FIDO2 security keys offer the highest level of security, ideal for environments with stringent regulatory requirements (FIPS-certified devices). Considerations: Evaluate passkey providers' security models, especially for access and recovery. Enhanced Access Management: IAM Access Analyzer Update: Now assists in identifying and removing unused roles, access keys, and passwords. Permissions Management: Helps set, verify, and refine unused permissions to maintain a streamlined and secure access environment. Malware Protection for Amazon S3: GuardDuty Expansion: Now detects malicious file uploads in S3 buckets. Configuration Options: Teams can set up post-scan actions like object tagging or use Amazon EventBridge to manage malware isolation processes. AI Apps Governance: Audit Manager Update: New AI best practice framework simplifies evidence collection and ongoing compliance audits. Standard Controls: Includes 110 pre-configured controls organized under domains such as accuracy, fairness, privacy, resilience, responsibility, safety, security, and sustainability. Additional Improvements: Log Analysis: Simplified through natural language queries that produce SQL queries (currently in preview). Network Services Integration: Streamlined process for incorporating firewalls, IDS/IPS, and other network services into customers' WANs.

In this episode of the Security Swarm Podcast, our host Andy and guest speaker Jan Bakker discuss passkeys in the Microsoft ecosystem. They cover topics such as the definition of passkeys, prerequisites, tips for implementation, and the user experience. They also highlight the user-centric enrollment process, the role of conditional access, and the potential challenges and advantages of transitioning to passkeys.  Key takeaways:  Passkeys are a new authentication mechanism using the FIDO2 standard, providing a secure and user-friendly passwordless experience.  Device-bound passkeys are more secure but not transferable between devices, while syncable passkeys offer convenience but may introduce potential security risks.  Passkeys enhance security by being phishing-resistant and replacing traditional passwords and MFA methods.  The enrollment process involves using the Microsoft Authenticator app and ensuring prerequisites like device compatibility and Bluetooth connectivity.  Admins can enforce authentication method policies and conditional access to control user access and enhance security.  User education, interface improvements, and conditional access play crucial roles in a successful transition to passkeys.    Timestamps:  (03:04) - Unlocking the Future of Passkeys and the Evolution of Authentication  (06:18) - Exploring the Security Benefits of Device Bound and Syncable Passkeys  (14:54) - How to Prepare for Passkeys in Microsoft 365  (23:03) - Navigating the Rollout of Passkeys for Enhanced Security: Admins vs End Users  (29:03) - Maximizing Security with Passkeys, Conditional Access, and Authentication Policies  (33:01) - Unveiling the Convenience of Device-Bound Passkeys in Vasquez for Microsoft 365    Episode Resources:  Previous episode on Passkeys Blog post of Jan  

Picture of the Week. Most to least common 4-digit pins. Enhanced LORAN. Passkeys. Microsoft's Head in the Clouds. Show Notes - https://www.grc.com/sn/SN-974-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: 1bigthink.com zscaler.com/zerotrustAI kolide.com/securitynow joindeleteme.com/twit promo code TWIT

Picture of the Week. Most to least common 4-digit pins. Enhanced LORAN. Passkeys. Microsoft's Head in the Clouds. Show Notes - https://www.grc.com/sn/SN-974-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: 1bigthink.com zscaler.com/zerotrustAI kolide.com/securitynow joindeleteme.com/twit promo code TWIT

Picture of the Week. Most to least common 4-digit pins. Enhanced LORAN. Passkeys. Microsoft's Head in the Clouds. Show Notes - https://www.grc.com/sn/SN-974-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: 1bigthink.com zscaler.com/zerotrustAI kolide.com/securitynow joindeleteme.com/twit promo code TWIT

Picture of the Week. Most to least common 4-digit pins. Enhanced LORAN. Passkeys. Microsoft's Head in the Clouds. Show Notes - https://www.grc.com/sn/SN-974-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: 1bigthink.com zscaler.com/zerotrustAI kolide.com/securitynow joindeleteme.com/twit promo code TWIT

Picture of the Week. Most to least common 4-digit pins. Enhanced LORAN. Passkeys. Microsoft's Head in the Clouds. Show Notes - https://www.grc.com/sn/SN-974-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: 1bigthink.com zscaler.com/zerotrustAI kolide.com/securitynow joindeleteme.com/twit promo code TWIT

Picture of the Week. Most to least common 4-digit pins. Enhanced LORAN. Passkeys. Microsoft's Head in the Clouds. Show Notes - https://www.grc.com/sn/SN-974-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: 1bigthink.com zscaler.com/zerotrustAI kolide.com/securitynow joindeleteme.com/twit promo code TWIT

Picture of the Week. Most to least common 4-digit pins. Enhanced LORAN. Passkeys. Microsoft's Head in the Clouds. Show Notes - https://www.grc.com/sn/SN-974-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: 1bigthink.com zscaler.com/zerotrustAI kolide.com/securitynow joindeleteme.com/twit promo code TWIT

Picture of the Week. Most to least common 4-digit pins. Enhanced LORAN. Passkeys. Microsoft's Head in the Clouds. Show Notes - https://www.grc.com/sn/SN-974-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: 1bigthink.com zscaler.com/zerotrustAI kolide.com/securitynow joindeleteme.com/twit promo code TWIT

In this episode, hosts Jim McDonald and Jeff Steadman engage in a far-reaching discussion with John Podboy, a Senior Vice President in Cybersecurity for a major bank. They delve into the evolving landscape of identity in the banking industry, the impact of AI and indicators of compromise on identity data, and the potential future innovations like FIDO2 and passkeys. John also shares his insights on the importance of understanding business objectives and the role of identity in driving revenue and customer trust. Plus, don't miss the wine talk towards the end, where John reveals his passion for vineyards and the type of wine he would specialize in if he had his own. Connect with John: https://www.linkedin.com/in/johnpodboy/ Identiverse 2024: As an IDAC listener, you can register with 25% off by using code IDV24-IDAC25 at https://events.identiverse.com/identiverse2024/register?code=IDV24-IDAC25 Attending the European Identity and Cloud Conference in Berlin? Use Discount Code: EIC24idac25 for 25% off. Register at https://www.kuppingercole.com/events/eic2024 Attending Identity Week in Europe, America, or Asia? Use our discount code IDAC30 for 30% off your registration fee! Learn more at: Europe: https://www.terrapinn.com/exhibition/identity-week/ America: https://www.terrapinn.com/exhibition/identity-week-america Asia: https://www.terrapinn.com/exhibition/identity-week-asia/ Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at idacpodcast.com and follow @IDACPodcast on Twitter.

This is a recap of the top 10 posts on Hacker News on December 2nd, 2023.This podcast was generated by wondercraft.ai(00:36): Not a real engineer (2019)Original post: https://news.ycombinator.com/item?id=38503486&utm_source=wondercraft_ai(02:19): Infants understand language via rhythm and tone rather than individual soundsOriginal post: https://news.ycombinator.com/item?id=38500906&utm_source=wondercraft_ai(04:11): Clang now makes binaries an original Pi B+ can't runOriginal post: https://news.ycombinator.com/item?id=38504134&utm_source=wondercraft_ai(06:08): GQL – Git Query LanguageOriginal post: https://news.ycombinator.com/item?id=38498688&utm_source=wondercraft_ai(08:06): UniFi ExpressOriginal post: https://news.ycombinator.com/item?id=38504027&utm_source=wondercraft_ai(09:44): Cicadas are so loud, fiber optic cables can ‘hear' themOriginal post: https://news.ycombinator.com/item?id=38500065&utm_source=wondercraft_ai(11:45): Is Ada safer than Rust?Original post: https://news.ycombinator.com/item?id=38498775&utm_source=wondercraft_ai(13:45): Can't sign in with FIDO2 key on office.comOriginal post: https://news.ycombinator.com/item?id=38502340&utm_source=wondercraft_ai(15:18): Open-source drawing tool – ExcalidrawOriginal post: https://news.ycombinator.com/item?id=38499375&utm_source=wondercraft_ai(16:55): Mundane emotions: Losing yourself in boredom, time and technology (2022)Original post: https://news.ycombinator.com/item?id=38500681&utm_source=wondercraft_aiThis is a third-party project, independent from HN and YC. Text and audio generated using AI, by wondercraft.ai. Create your own studio quality podcast with text as the only input in seconds at app.wondercraft.ai. Issues or feedback? We'd love to hear from you: team@wondercraft.ai

A special guest joins us, and we each give Fedora 39 a try. What's new, what we liked, and what didn't make the cut! Special Guest: Drew DeVore.

Microsoft announced storing their Azure keys in an HSM after previously losing control of a private signing key A quartet of new 0-day vulnerabilities in Exchange Server that Microsoft declined to fix Apache ActiveMQ servers under attack exploiting a 0-day, with over half of publicly exposed servers vulnerable Update on the Citrix Bleed vulnerability with evidence of hackers gaining access and post-exploitation activity CVSS version 4 released with new metrics for better granularity and clarity of vulnerability scores Ace Hardware suffered a cyberattack impacting servers and systems Google abandons controversial "Web DRM" proposal to let sites restrict browser extensions Analysis of "BadCandy" malware infecting vulnerable Cisco routers Bitwarden password manager adds support for FIDO2 passkeys in browser extension Rescuing a severely degraded SSD and bringing it back to life with SpinRite Feedback from listeners on IPv6 adoption, factors for choosing crypto primes, installing Windows 11, and more The brewing battle in the EU over proposed eIDAS regulation Article 45 that could ban security checks on root certificates and undermine encrypted web traffic Show Notes - https://www.grc.com/sn/SN-947-Notes.pdf   Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com canary.tools/twit - use code: TWIT Melissa.com/twit

Microsoft announced storing their Azure keys in an HSM after previously losing control of a private signing key A quartet of new 0-day vulnerabilities in Exchange Server that Microsoft declined to fix Apache ActiveMQ servers under attack exploiting a 0-day, with over half of publicly exposed servers vulnerable Update on the Citrix Bleed vulnerability with evidence of hackers gaining access and post-exploitation activity CVSS version 4 released with new metrics for better granularity and clarity of vulnerability scores Ace Hardware suffered a cyberattack impacting servers and systems Google abandons controversial "Web DRM" proposal to let sites restrict browser extensions Analysis of "BadCandy" malware infecting vulnerable Cisco routers Bitwarden password manager adds support for FIDO2 passkeys in browser extension Rescuing a severely degraded SSD and bringing it back to life with SpinRite Feedback from listeners on IPv6 adoption, factors for choosing crypto primes, installing Windows 11, and more The brewing battle in the EU over proposed eIDAS regulation Article 45 that could ban security checks on root certificates and undermine encrypted web traffic Show Notes - https://www.grc.com/sn/SN-947-Notes.pdf   Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com canary.tools/twit - use code: TWIT Melissa.com/twit

Microsoft announced storing their Azure keys in an HSM after previously losing control of a private signing key A quartet of new 0-day vulnerabilities in Exchange Server that Microsoft declined to fix Apache ActiveMQ servers under attack exploiting a 0-day, with over half of publicly exposed servers vulnerable Update on the Citrix Bleed vulnerability with evidence of hackers gaining access and post-exploitation activity CVSS version 4 released with new metrics for better granularity and clarity of vulnerability scores Ace Hardware suffered a cyberattack impacting servers and systems Google abandons controversial "Web DRM" proposal to let sites restrict browser extensions Analysis of "BadCandy" malware infecting vulnerable Cisco routers Bitwarden password manager adds support for FIDO2 passkeys in browser extension Rescuing a severely degraded SSD and bringing it back to life with SpinRite Feedback from listeners on IPv6 adoption, factors for choosing crypto primes, installing Windows 11, and more The brewing battle in the EU over proposed eIDAS regulation Article 45 that could ban security checks on root certificates and undermine encrypted web traffic Show Notes - https://www.grc.com/sn/SN-947-Notes.pdf   Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com canary.tools/twit - use code: TWIT Melissa.com/twit

Microsoft announced storing their Azure keys in an HSM after previously losing control of a private signing key A quartet of new 0-day vulnerabilities in Exchange Server that Microsoft declined to fix Apache ActiveMQ servers under attack exploiting a 0-day, with over half of publicly exposed servers vulnerable Update on the Citrix Bleed vulnerability with evidence of hackers gaining access and post-exploitation activity CVSS version 4 released with new metrics for better granularity and clarity of vulnerability scores Ace Hardware suffered a cyberattack impacting servers and systems Google abandons controversial "Web DRM" proposal to let sites restrict browser extensions Analysis of "BadCandy" malware infecting vulnerable Cisco routers Bitwarden password manager adds support for FIDO2 passkeys in browser extension Rescuing a severely degraded SSD and bringing it back to life with SpinRite Feedback from listeners on IPv6 adoption, factors for choosing crypto primes, installing Windows 11, and more The brewing battle in the EU over proposed eIDAS regulation Article 45 that could ban security checks on root certificates and undermine encrypted web traffic Show Notes - https://www.grc.com/sn/SN-947-Notes.pdf   Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com canary.tools/twit - use code: TWIT Melissa.com/twit

Microsoft announced storing their Azure keys in an HSM after previously losing control of a private signing key A quartet of new 0-day vulnerabilities in Exchange Server that Microsoft declined to fix Apache ActiveMQ servers under attack exploiting a 0-day, with over half of publicly exposed servers vulnerable Update on the Citrix Bleed vulnerability with evidence of hackers gaining access and post-exploitation activity CVSS version 4 released with new metrics for better granularity and clarity of vulnerability scores Ace Hardware suffered a cyberattack impacting servers and systems Google abandons controversial "Web DRM" proposal to let sites restrict browser extensions Analysis of "BadCandy" malware infecting vulnerable Cisco routers Bitwarden password manager adds support for FIDO2 passkeys in browser extension Rescuing a severely degraded SSD and bringing it back to life with SpinRite Feedback from listeners on IPv6 adoption, factors for choosing crypto primes, installing Windows 11, and more The brewing battle in the EU over proposed eIDAS regulation Article 45 that could ban security checks on root certificates and undermine encrypted web traffic Show Notes - https://www.grc.com/sn/SN-947-Notes.pdf   Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com canary.tools/twit - use code: TWIT Melissa.com/twit

Microsoft announced storing their Azure keys in an HSM after previously losing control of a private signing key A quartet of new 0-day vulnerabilities in Exchange Server that Microsoft declined to fix Apache ActiveMQ servers under attack exploiting a 0-day, with over half of publicly exposed servers vulnerable Update on the Citrix Bleed vulnerability with evidence of hackers gaining access and post-exploitation activity CVSS version 4 released with new metrics for better granularity and clarity of vulnerability scores Ace Hardware suffered a cyberattack impacting servers and systems Google abandons controversial "Web DRM" proposal to let sites restrict browser extensions Analysis of "BadCandy" malware infecting vulnerable Cisco routers Bitwarden password manager adds support for FIDO2 passkeys in browser extension Rescuing a severely degraded SSD and bringing it back to life with SpinRite Feedback from listeners on IPv6 adoption, factors for choosing crypto primes, installing Windows 11, and more The brewing battle in the EU over proposed eIDAS regulation Article 45 that could ban security checks on root certificates and undermine encrypted web traffic Show Notes - https://www.grc.com/sn/SN-947-Notes.pdf   Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com canary.tools/twit - use code: TWIT Melissa.com/twit

Microsoft announced storing their Azure keys in an HSM after previously losing control of a private signing key A quartet of new 0-day vulnerabilities in Exchange Server that Microsoft declined to fix Apache ActiveMQ servers under attack exploiting a 0-day, with over half of publicly exposed servers vulnerable Update on the Citrix Bleed vulnerability with evidence of hackers gaining access and post-exploitation activity CVSS version 4 released with new metrics for better granularity and clarity of vulnerability scores Ace Hardware suffered a cyberattack impacting servers and systems Google abandons controversial "Web DRM" proposal to let sites restrict browser extensions Analysis of "BadCandy" malware infecting vulnerable Cisco routers Bitwarden password manager adds support for FIDO2 passkeys in browser extension Rescuing a severely degraded SSD and bringing it back to life with SpinRite Feedback from listeners on IPv6 adoption, factors for choosing crypto primes, installing Windows 11, and more The brewing battle in the EU over proposed eIDAS regulation Article 45 that could ban security checks on root certificates and undermine encrypted web traffic Show Notes - https://www.grc.com/sn/SN-947-Notes.pdf   Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com canary.tools/twit - use code: TWIT Melissa.com/twit

Microsoft announced storing their Azure keys in an HSM after previously losing control of a private signing key A quartet of new 0-day vulnerabilities in Exchange Server that Microsoft declined to fix Apache ActiveMQ servers under attack exploiting a 0-day, with over half of publicly exposed servers vulnerable Update on the Citrix Bleed vulnerability with evidence of hackers gaining access and post-exploitation activity CVSS version 4 released with new metrics for better granularity and clarity of vulnerability scores Ace Hardware suffered a cyberattack impacting servers and systems Google abandons controversial "Web DRM" proposal to let sites restrict browser extensions Analysis of "BadCandy" malware infecting vulnerable Cisco routers Bitwarden password manager adds support for FIDO2 passkeys in browser extension Rescuing a severely degraded SSD and bringing it back to life with SpinRite Feedback from listeners on IPv6 adoption, factors for choosing crypto primes, installing Windows 11, and more The brewing battle in the EU over proposed eIDAS regulation Article 45 that could ban security checks on root certificates and undermine encrypted web traffic Show Notes - https://www.grc.com/sn/SN-947-Notes.pdf   Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com canary.tools/twit - use code: TWIT Melissa.com/twit

On Security Now, Steve Gibson reads an email from a fan who asks if passkeys are meant to be a device verification like SSH keys. For the full episode, visit twit.tv/sn/944 #Passkeys #Phishing #Authentication Hosts: Steve Gibson and Leo Laporte You can find more about TWiT and subscribe to our podcasts at https://podcasts.twit.tv/ Sponsor: GO.ACILEARNING.COM/TWIT

On Security Now, Steve Gibson reads an email from a fan who asks if passkeys are meant to be a device verification like SSH keys. For the full episode, visit twit.tv/sn/944 #Passkeys #Phishing #Authentication Hosts: Steve Gibson and Leo Laporte You can find more about TWiT and subscribe to our podcasts at https://podcasts.twit.tv/ Sponsor: GO.ACILEARNING.COM/TWIT

ValiDrive release follow-up Passkeys exportability and phishing risk Passkeys for device verification like SSH keys Possibility of hobby browsers vs. production browsers Availability of SpinRite 6.1 pre-release Filling drives with crypto noise using VeraCrypt Steve and Leo's favorite OTP apps Google Docs link rewriting could be to prevent referrer leakage Abusing HTTP/2 Rapid Reset Show notes: https://www.grc.com/sn/SN-944-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit cs.co/twit bitwarden.com/twit

ValiDrive release follow-up Passkeys exportability and phishing risk Passkeys for device verification like SSH keys Possibility of hobby browsers vs. production browsers Availability of SpinRite 6.1 pre-release Filling drives with crypto noise using VeraCrypt Steve and Leo's favorite OTP apps Google Docs link rewriting could be to prevent referrer leakage Abusing HTTP/2 Rapid Reset Show notes: https://www.grc.com/sn/SN-944-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit cs.co/twit bitwarden.com/twit

ValiDrive release follow-up Passkeys exportability and phishing risk Passkeys for device verification like SSH keys Possibility of hobby browsers vs. production browsers Availability of SpinRite 6.1 pre-release Filling drives with crypto noise using VeraCrypt Steve and Leo's favorite OTP apps Google Docs link rewriting could be to prevent referrer leakage Abusing HTTP/2 Rapid Reset Show notes: https://www.grc.com/sn/SN-944-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit cs.co/twit bitwarden.com/twit

ValiDrive release follow-up Passkeys exportability and phishing risk Passkeys for device verification like SSH keys Possibility of hobby browsers vs. production browsers Availability of SpinRite 6.1 pre-release Filling drives with crypto noise using VeraCrypt Steve and Leo's favorite OTP apps Google Docs link rewriting could be to prevent referrer leakage Abusing HTTP/2 Rapid Reset Show notes: https://www.grc.com/sn/SN-944-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit cs.co/twit bitwarden.com/twit

ValiDrive release follow-up Passkeys exportability and phishing risk Passkeys for device verification like SSH keys Possibility of hobby browsers vs. production browsers Availability of SpinRite 6.1 pre-release Filling drives with crypto noise using VeraCrypt Steve and Leo's favorite OTP apps Google Docs link rewriting could be to prevent referrer leakage Abusing HTTP/2 Rapid Reset Show notes: https://www.grc.com/sn/SN-944-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit cs.co/twit bitwarden.com/twit

ValiDrive release follow-up Passkeys exportability and phishing risk Passkeys for device verification like SSH keys Possibility of hobby browsers vs. production browsers Availability of SpinRite 6.1 pre-release Filling drives with crypto noise using VeraCrypt Steve and Leo's favorite OTP apps Google Docs link rewriting could be to prevent referrer leakage Abusing HTTP/2 Rapid Reset Show notes: https://www.grc.com/sn/SN-944-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit cs.co/twit bitwarden.com/twit

ValiDrive release follow-up Passkeys exportability and phishing risk Passkeys for device verification like SSH keys Possibility of hobby browsers vs. production browsers Availability of SpinRite 6.1 pre-release Filling drives with crypto noise using VeraCrypt Steve and Leo's favorite OTP apps Google Docs link rewriting could be to prevent referrer leakage Abusing HTTP/2 Rapid Reset Show notes: https://www.grc.com/sn/SN-944-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: Melissa.com/twit cs.co/twit bitwarden.com/twit

This week on Hacker And The Fed Microsoft releases their 2023 digital defense report, are paying ransoms illegal in the United States? The NSA and CISA red and blue teams share top 10 cyber security misconfigurations, a 158 year old company shuts down because of a ransomware attack, and we answer listener questions about fido2 security keys and "hacktivist" rules. Links from the episode: Microsoft Releases Its Yearly Digital Defense Report https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023   Are Paying Ransoms Illegal in the U.S.? https://www.huntonprivacyblog.com/2022/07/26/florida-enacts-law-prohibiting-state-agencies-from-paying-cyber-ransoms/   NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a   Zero-days for Hacking WhatsApp are Now Worth Millions of Dollars https://techcrunch.com/2023/10/05/zero-days-for-hacking-whatsapp-are-now-worth-millions-of-dollars/   Lazarus Impersonated Meta Recruiter to Breach Spanish Aerospace Firm https://www.helpnetsecurity.com/2023/10/02/lazarus-lightlesscan/   Kettering logistics firm enters administration with 730 jobs lost https://www.bbc.com/news/uk-england-northamptonshire-66927965   FDA Cyber Mandates for Medical Devices Goes into Effect https://cyberscoop.com/fda-cybersecurity-medical-devices/   City of Dallas Suffers a Ransomware Attack https://dallascityhall.com/DCH%20Documents/dallas-ransomware-incident-may-2023-incident-remediation-efforts-and-resolution.pdf   International Committee of the Red Cross Published Rules of Engagement for Civilian Hackers Involved in Conflicts https://www.bbc.co.uk/news/technology-66998064 https://www.theregister.com/2023/10/04/red_cross_hacktivist_rules/   Support our sponsors: Go to JoinDeleteMe.com/FED and use the code FED20 for 20% off   Get your Hacker and the Fed merchandise at hackerandthefed.com Send HATF your questions at questions@hackerandthefed.com

​Get your passport ready, because this week we ignore the Amalfi coast and head straight for the real action!Out of Zurich we have news of Google and a new FIDO2, before heading off to Canada and a wild assertion for a bank there about targeting children's parents.We present the QR code you knew would come, Tesla's insider dealing and how China leveraged Japan's porosity.We bounce back to New York for the Time's latest headline story, and then discover what AI will really mean to your job in the next few years, and yes, that's probably coming from your boss, or her boss.From Norway we discover a "funny" little Windows server feature, and from Kenya, more proof that the thing attempting to become the de facto world digital identity system for citizens of the globe has a hard time hearing. This is the best traveled update yet.. so take those feet and let's get them in the street! Find the full transcript to this podcast here. --- Send in a voice message: https://podcasters.spotify.com/pod/show/rps5/message

Beschreibungstext: In dieser Folge des c't uplink sprechen wir über Passkeys und wie sie sich anschicken, Passwörter aus dem Alltag zu verdrängen. Wie richtet man Passkey-Logins ein, wie sicher kann das Ganze überhaupt sein – und kann man sich nicht schnell ins Knie schießen, wenn man all seine Logins an eine Hardware bindet, die verloren oder kaputt gehen kann? Im Gespräch kommen auch Kurzvideos zur Sprache, die die Verwendung von Passkeys auf verschiedenen Plattformen zeigen. Ihr findet sie auf YouTube unter diesen Links: https://youtu.be/U0piXL90-LI (Android) https://youtu.be/FCgmxIjl7Ms (PC und Smartphone) https://youtu.be/_IXkOJYL4aA (iOS und macOS) https://youtu.be/lxEGNjwQ8Ak (Windows)

A passwordless authentication protocol based on the FIDO2 standard. CyberWire Glossary link: https://thecyberwire.com/glossary/passkey Audio reference link: Summers, J., 2023. Google Passkeys Have Arrived (here's how to use them) [All Things Secured Channel]. YouTube. URL https://www.youtube.com/watch?v=oFO7JgUx-bU.

A passwordless authentication protocol based on the FIDO2 standard. CyberWire Glossary link: https://thecyberwire.com/glossary/passkey Audio reference link: Summers, J., 2023. Google Passkeys Have Arrived (here's how to use them) [All Things Secured Channel]. YouTube. URL https://www.youtube.com/watch?v=oFO7JgUx-bU. Learn more about your ad choices. Visit megaphone.fm/adchoices

Heute im Studio: Pina Merkert (KI-Expertin), Lutz-Labs (SSDs) und Niklas Dierking (2-Faktor-Login), Moderation Jörg Wirtgen. Wir sprechen über SSDs mit SATA-Anschluss zum Nachrüsten für alte PCs und Notebooks. Danach erklären wir, wie 2-Faktor-Authentifizierungen gehackt werden können und warum sie trotzdem sinnvoll sind. Schließlich diskutieren wir, wie sich künstliche Intelligenz auf die Medien und auf einige Jobs auswirken könnte. PCIe-SSDs sind für moderne PCs erste Wahl. Wenn aber alle M.2-Slots belegt sind oder Rechner oder Notebook schon älter sind und gar keine M.2-Slots haben, dann kommen SATA-SSDs ins Spiel. c't hat einige neue Modelle getestet und ist dabei durchaus auf Ungereimtheiten gestoßen. Wir werfen einen Blick ins Innere, wundern uns, dass eine 512-GByte-SSD doppelt so viele Speicherchips benötigt wie die 1-TByte-Variante des gleichen Herstellers -- und dass eine andere SSD mit einer ungeraden Zahl von Speicherchips kommt. Daraus ergeben sich ein paar Tipps zur Auswahl. Auch interessant: Einige der SSDs haben ein Plastikgehäuse, andere eines zumindest mit einer Metallseite. Die Lesegeschwindigkeiten der SATA-SSDs wiederum taugen nicht viel als Unterscheidungskriterium, eher schon die Schreibgeschwindigkeiten. Wir vergleichen sie mit denen der M.2-Schnittstelle -- die klar überlegene Bauform, falls sie denn vorhanden ist. Zum Schluss sprechen wir über die Speichermengen, die bei lokal installierten KI-Anwendungen anfallen, auch ein Kriterium zum Auswahl der optimalen SSD. Die sogenannte Zweifaktor-Authentifizierung gilt im Allgemeinen als sicher. Wir geben einen Überblick der wichtigsten Methoden: per SMS, per Hardware -- vor allem FIDO2-kompatiblen USB-Sticks wie dem YubiKey -- oder per TOTP. Letzteres sind diese sechsstelligen PINs, die eine spezielle App erzeugt, die sogenannten Einmalpasswörter (Time Based One Time Password). Google hatte dazu vorige Tage eine Änderung der Authenticator-App angekündigt, das wir kurz (als noch nicht gut genug) einsortieren. Wie das SMS-Verfahren knackbar ist, ist schon länger bekannt -- neuerdings aber lassen sich auch die TOTP-Logins abgreifen, und zwar mit einem aufwändigen Phishing-Verfahren, das wir erklären. Dagegen hilft vor allem die übliche Vorsicht beim Anklicken von Links in zwielichtigen Mails, die allerdings auch immer weniger zwielichtig aussehen. Noch besser schützen die FIDO2-Keys, da sie die URL mitcodieren und daher bei einer falschen URL gar kein Passwort liefern. Seit einigen Monaten sprießen neue KI-Wekzeuge wie Pilze aus dem Boden. Ein paar davon funktionieren so gut, dass sie Jobs umkrempeln werden. Besonders betroffen sind Journalistinnen, Werbetexter und Illustratoren. Wer diese Berufsgruppen beschäftigt, muss sich in Zukunft die ethische Frage stellen, ob es vertretbar ist mit KI Kosten zu sparen. Für Nutzer:innen stellt sich zudem die Frage, inwiefern KI-generierte Medien überhaupt noch von menschengemachten unterscheidbar sind. Das verlangt sehr viel Medienkompetenz - was junge und alte Menschen oft erst noch lernen müssen. Ein richtiger Ausweg aus dem gesellschaftlichen Dilemma ist nicht absehbar. Aber wie immer hilft technisches Verständnis für die Technik, um die Entwicklung ein Stück weit vorherzusehen. Viel wird davon abhängen, wie tief das echte Verständnis zukünftiger KIs gehen wird. Wir erklären die regelbasierten KIs und gehen auf die Skalierungshypothese ein. ***SPONSOR-HINWEIS*** AVM ist Europas führender Hersteller von Produkten für das digitale Zuhause. Mit rund 880 Mitarbeitenden und der bekanntesten Marke für WLAN-Router bringt AVM Millionen von Menschen ins Internet. Spannende Jobs unter jobs.avm.de ***SPONSOR-HINWEIS ENDE***

While the podcast crew is off to San Francisco to meet everyone at the RSA Conference, we have a very special presentation from our own Jing Gu. Using Beyond Identity as an example, Jing takes us through how the best passwordless authentication solutions build upon and extend the FIDO2 standards to make authentication simple and secure for their workforces, customers, and developers! Follow Beyond Identity: twitter.com/beyondidentity linkedin.com/company/beyond-identity-inc Website: beyondidentity.com Send any voice submissions to Podcast@beyondidentity.com Informal security chat with Beyond Identity's CTO Jasson Casey, Founding Engineer Nelson Melo, and VP of Global Sales Engineering Husnain Bajwa and our host Marketing Empress Reece Guida. Join us for the good, the ugly, and the unexplored in the cybersecurity space. Chat topics include MFA, authentication, passwordless solutions, and how Beyond Identity is utilizing asymmetric cryptography to create the first unphishable multi-factor authentication on the planet. --- Send in a voice message: https://podcasters.spotify.com/pod/show/beyondidentity/message

Ready to go passwordless? While at NDC in London, Richard chatted with Kyle Kotowick about the FIDO2 specification and how it is being implemented to provide more passwordless options for authentication. Kyle talks about how FIDO2 does not necessarily mean physical keys like the Yubikey - there are more options! The TPM chip in your PC or smartphone can act as the token generator when combined with a second authenticator, like fingerprint or facial recognition in Windows Hello. Ideally, this superior level of authentication is effortless - you use multifactor without even realizing you are!Links:Fido AllianceYubiKeysWindows Hello for BusinessWebAuthnCTAP2Recorded January 25, 2023

Yubico, the company behind the YubiKey, is revolutionizing online security with its hardware-based security keys. These keys provide an extra layer of protection for your online accounts, making them less vulnerable to cyber threats such as phishing, man-in-the-middle (MitM) attacks, SIM swapping and account takeovers. The YubiKey is the world's first security key and protects over 4,000 organizations worldwide. The shift to remote work due to the pandemic has highlighted the need for better cybersecurity measures. According to Yubico's research, 42% of people feel more vulnerable to cyber threats while working from home, and 39% feel unsupported by IT. However, hardware-based security keys like the YubiKey provide a more secure solution while reducing friction at login. They meet the FIDO2 and WebAuthn standards, helping to pave the way for interoperability. Niall McConachie, Regional Director (UK & Ireland) at Yubico discusses the most common cyber threats people face and why not all security is equal. He emphasized that while one-time passcodes (OTPs) sent by SMS or mobile authentication apps are the most popular forms of two-factor authentication (2FA), they are still vulnerable to attacks. On the other hand, hardware-based security keys provide strong authentication and reduce the friction of logging in to multiple apps and accounts each day. Niall also discusses the future of secure, passwordless authentication. The evolving modern authentication ecosystem, with the help of hardware-based security keys, is paving the way for a future where passwords are no longer the primary form of authentication. This not only makes our online accounts more secure, but also reduces the hassle of remembering multiple passwords. Sponsored VPN Offer https://www.piavpn.com/techtalksdaily

Picture of the Week. Errata: Firefox's "Total Cookie Protection" 3rd Party FIDO2 Authenticators Germany's not buying the EU's proposal which subverts encryption The Conti Gang have finally pulled the last plug Log4J and Log4Shell is alive and well The '311' emergency number proposal 56 Insecure-By-Design Vulnerabilities "Long Story Short" Closing The Loop The "Hertzbleed" Attack We invite you to read our show notes at https://www.grc.com/sn/SN-877-Notes.pdf Hosts: Steve Gibson and Jason Howell Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: drata.com/twit barracuda.com/securitynow Melissa.com/twit

Picture of the Week. Errata: Firefox's "Total Cookie Protection" 3rd Party FIDO2 Authenticators Germany's not buying the EU's proposal which subverts encryption The Conti Gang have finally pulled the last plug Log4J and Log4Shell is alive and well The '311' emergency number proposal 56 Insecure-By-Design Vulnerabilities "Long Story Short" Closing The Loop The "Hertzbleed" Attack We invite you to read our show notes at https://www.grc.com/sn/SN-877-Notes.pdf Hosts: Steve Gibson and Jason Howell Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: drata.com/twit barracuda.com/securitynow Melissa.com/twit

Picture of the Week. Errata: Firefox's "Total Cookie Protection" 3rd Party FIDO2 Authenticators Germany's not buying the EU's proposal which subverts encryption The Conti Gang have finally pulled the last plug Log4J and Log4Shell is alive and well The '311' emergency number proposal 56 Insecure-By-Design Vulnerabilities "Long Story Short" Closing The Loop The "Hertzbleed" Attack We invite you to read our show notes at https://www.grc.com/sn/SN-877-Notes.pdf Hosts: Steve Gibson and Jason Howell Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: drata.com/twit barracuda.com/securitynow Melissa.com/twit

Picture of the Week. Errata: Firefox's "Total Cookie Protection" 3rd Party FIDO2 Authenticators Germany's not buying the EU's proposal which subverts encryption The Conti Gang have finally pulled the last plug Log4J and Log4Shell is alive and well The '311' emergency number proposal 56 Insecure-By-Design Vulnerabilities "Long Story Short" Closing The Loop The "Hertzbleed" Attack We invite you to read our show notes at https://www.grc.com/sn/SN-877-Notes.pdf Hosts: Steve Gibson and Jason Howell Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now! at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: drata.com/twit barracuda.com/securitynow Melissa.com/twit

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: The msdt/office lolbinapalooza Microsoft to introduce sensible defaults to Azure Twitter fined $150m for sms 2fa spam It turns out npm got owned in that Heroku/Travis CI thing AWS cred-stealing supply chain attack was research your honour, I swear! Much, much more We'll be chatting with Airlock Digital co-founder and CTO Daniel Schell in this week's sponsor interview. He'll be walking us through some of his own research into how to own Microsoft boxes via document-embedded office add-ins. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that's your thing. Show notes nao_sec on Twitter: "Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code. https://t.co/hTdAfHOUx3 https://t.co/rVSb02ZTwt" / Twitter Follina — a Microsoft Office code execution vulnerability | by Kevin Beaumont | May, 2022 | DoublePulsar Kevin Beaumont on Twitter: "Additional Follina issue, if you use wget in Powershell, it blindly executes any code via MSDT as it trusts all MS Protocol URIs. So to clarify, if you wget a webpage you don't control and the webpage adds Follina exploit string, your server the runs the code." / Twitter Microsoft Office Remote Code Execution - “Follina” MSDT Attack Raising the Baseline Security for all Organizations in the World - Microsoft Tech Community npm security update: Attack campaign using stolen OAuth tokens | The GitHub Blog Twitter fined $150 million by FTC for alleged privacy violations - The Record by Recorded Future REvil prosecutions reach a 'dead end,' Russian media reports Multiple flights across India grounded after SpiceJet airline hit with ransomware - The Record by Recorded Future Exclusive: Russian hackers are linked to new Brexit leak website, Google says | Reuters Российские компании начали увольнять украинских ИT-специалистов — РБК Hacker Leaks Mountain of Files From Inside Xinjiang Camps Spain set to strengthen oversight of secret services after NSO spying scandal | The Times of Israel No evidence of exploitation of Dominion voting machine flaws, CISA finds - The Washington Post Researchers identify FIDO2 protocol vulnerabilities - Security - iTnews 756.pdf Security ‘researcher' hits back against claims of malicious CTX file uploads | The Daily Swig Israeli private detective used Indian hackers in job for Russian oligarchs, court filing says | Reuters Hacker Steals Database of Hundreds of Verizon Employees GarWarner on Twitter: "Last month the US Department of Justice petitioned the court to be allowed to seize Mr. Woodbery's Bitcoin. 151.885720427 BTC is 11,930,370 Naira or $4,364,299 USD currently. (Thread 1/? ) https://t.co/Xh39FTLQUV" / Twitter Malcolm Herbert on Twitter: "@riskybusiness @Metlstorm ... for some reason I never pictured you guys as doing a recording session before sunup, but then I guess with @Metlstorm being in NZ that kinda makes sense now that I think about it ... I'll see myself out ..." / Twitter Darknet market Versus shuts down after hacker leaks security flaw Omnipotent BMCs from Quanta remain vulnerable to critical Pantsdown threat | Ars Technica Red Canary Managed Detection and Response - YouTube Airlock Digital Demo - YouTube