Summary of "Security Now 1065"
Summary — Security Now (episode covering “Attestation” and related security news)
Overview
This episode covered changes to code‑signing attestation, TLS/code‑signing certificate lifetime reductions, password‑manager server‑side research, web‑scale/AI bot traffic effects, Chrome 145 device‑bound sessions, extension ecosystem abuses, an Outlook add‑in supply‑chain attack, active WinRAR exploitation, mobile spyware leaks, age‑verification policy debates, and risks/benefits of AI code generation. The hosts discussed practical guidance and real‑world examples throughout.
Key technical topics, findings, and analysis
Attestation & code‑signing changes (main focus)
-
Industry/CA changes
- CA/Browser Forum has shortened certificate lifetimes and tightened validation.
- TLS/SSL lifetimes: maximum validity shortened (example: DigiCert moving from ~397 days to ~199 days for DV); OV reuse periods also shortened.
- Code‑signing lifetimes: multi‑year certificates (e.g., three‑year) are being phased out; new rules push shorter durations.
-
New attestation requirement for code‑signing certificates
- Certificate Authorities (CAs) must obtain an attestation letter from a licensed attorney, CPA, or equivalent third‑party who has first‑hand knowledge of the organization and its officers.
- Face‑to‑face validation (or equivalent documentary proof) is required for principal individuals. The CA must independently verify the validator (license/registration) and confirm via phone/email.
- Required documents and steps include government photo ID, financial documents, secondary evidence, and detailed verification steps specified in the baseline requirements (BR for code signing).
-
Practical implications & advice
- Expect more friction, cost, and time to obtain code‑signing certificates; plan ahead.
- If you need a three‑year certificate, consider buying before the deadline — many maintainers raced to secure pre‑existing 3‑year certs.
- Prefer local hardware signing (HSM / USB HSM / YubiKey‑style devices) over cloud‑per‑signature services if you want unlimited/local signing; avoid pay‑per‑sign cloud services for unrestricted use.
- Consider moving TLS issuance to domain‑validated automation (e.g., Let’s Encrypt) to avoid the revalidation overhead of OV/EV certificates.
Personal account of obtaining a code‑signing cert
- Steve Gibson related his experience with IdenTrust: filling forms, sending a wet‑signed attestation by his CPA, CA verification calls, and finally certificate issuance.
- Demonstrates how onerous but enforceable the new attestation/verification process is in practice.
Password manager server‑side research (preview)
- ETH Zurich and collaborators published research on server‑side/cloud risks to popular password managers (Dashlane, LastPass, Bitwarden).
- Findings: server compromise can enable vault decryption under certain conditions (for example, forced crypto downgrade combined with a weak user password). Bitwarden’s open‑source posture aided analysis.
- Dashlane and Bitwarden have responded; a detailed breakdown is expected in a follow‑up episode.
Web scale, dynamic sites, and bot/AI traffic
- Modern sites behave like programs: server‑side rendering and CMSs incur CPU/database overhead that can be the true bottleneck, not just bandwidth.
- Example: AI.com Super Bowl ad caused backend overload — Cloudflare’s CDN was fine but the origin became unresponsive, indicating CPU/database scaling failure.
- Linux Mint forums experienced heavy AI/bot traffic, forcing server upgrades (reported 10× CPU increases), caching, and filtering. Mitigations include caching, PHP opcache, in‑memory stores (Redis), and static generation when possible.
- Recommendation: evaluate platform/per‑page CPU cost and consider static generation or pre‑rendering where feasible.
Chrome 145 — device‑bound session credentials
- New browser feature lets session credentials (cookies) be bound to device hardware (TPM / secure enclave).
- Effect: prevents replay of session cookies on other devices even if cookies are exfiltrated, improving session integrity.
- Requires secure enclave support and server/deployment changes to adopt device‑bound sessions. Expected to broaden over time.
Browser extension ecosystem abuses
- LayerX research: 30 malicious “AI assistant” Chrome extensions (AI Frame) used remote iframes and privileged bridges to act as surveillance/access brokers — about 260k users affected.
- Koi / independent research: 287 Chrome extensions identified exfiltrating browsing history, totaling ~37.4M installs; data brokers (e.g., SimilarWeb and partners) implicated.
- Attack pattern: extensions delegate core functionality to remotely served, mutable infrastructure — meaning behavior can change after store review; “extension spraying” makes takedowns harder.
- Takeaway: only install well‑known, vetted extensions; the Chrome Web Store review process and remote components are weak points.
Outlook add‑in supply chain attack
- First observed malicious Outlook add‑in (AgreeTo): developer abandoned the project; attacker claimed the hosting subdomain (Vercel) and served a phishing kit via the Outlook sidebar iframe.
- Because Office add‑ins use manifests that point to live URLs, Microsoft signed the manifest once and did not re‑validate hosted content — resulting in ~4,000 credentials stolen.
- Lesson: manifest→live content model for add‑ins is dangerous when hosting ownership changes.
WinRAR active exploitation
- Google Threat Intelligence Group (GTIG) reported active exploitation of a path‑traversal vulnerability (CVE referenced) affecting WinRAR versions prior to 7.13. The exploit can drop files into startup folders, enabling persistence.
- RARLab patched the issue in v7.13 (and later 7.20). Many environments remain vulnerable; Stairwell reported over 80% of monitored environments contained vulnerable WinRAR installs.
- Recommendation: update WinRAR to the latest patched version immediately.
Mobile spyware & IM interception
- Paragon/Graphite spyware leaks exposed demo screenshots showing the ability to extract messages from WhatsApp, Signal, Telegram, and others.
- Once device‑resident spyware runs, app crypto is moot because spyware can read decrypted UI state.
Age verification and social platforms
- Several countries (Kazakhstan, Moldova, Romania) are considering age restrictions on creating social accounts.
- Discord clarified it is not requiring ID from all users; most adults will be age‑predicted from existing signals. Explicit adult content features will require stronger proof.
- Note: some third‑party verification vendors have experienced breaches — introducing privacy risks.
AI/code generation (“vibe coding”) discussion
- Benefits: rapid code generation and strong hype driving investment.
- Risks: subtle bugs, masked root causes, and reduced developer understanding.
- Suggested approach: break projects into small components and use rigorous unit testing (and, where practical, formal verification). Use AI to produce and test small pieces rather than generate opaque monolithic blobs.
- Cautionary example: a Copilot “fix” that inserted a guard instead of fixing the underlying buffer/logic bug.
Product mentions, features & sponsor tools
- Thinks Canary (Canary honeypot): pre‑configured network honeypots for intrusion detection with alerts (SMS, email, webhooks, Slack, Discord) and a hosted console.
- DeleteMe: managed data‑broker removal service with continuous monitoring.
- Meter: integrated full‑stack network hardware/software (wired/wireless/cellular) and managed services for enterprises.
- Zscaler: cloud security / zero‑trust with AI controls for enterprise data protection.
- HawkHunt: phishing simulation and human risk reduction platform with micro‑training and gamification.
Other items / anecdotes
- “Picture of the week”: a security camera was fooled by an 8.5×11 printed photo taped to a wall — a reminder that human workarounds can break unconditional trust in tech.
- Rosskomnadzor (Russia) removed YouTube, WhatsApp, Facebook, and Instagram from Russia’s internal DNS; additional sites (BBC, VPNs) were also blocked.
- Reminder of Steve Gibson’s software and resources: GRC utilities, SpinRite, DNS Benchmark Pro, and his newsletter.
Actionable takeaways
- If you need long‑lived code‑signing certificates, obtain them before industry/CA deadlines; expect attestation letters and face‑to‑face validation steps.
- Move to your own HSM/hardware signing to avoid cloud signing limits and fees.
- Patch WinRAR immediately if running older versions.
- Be cautious with Chrome extensions — vet publishers, minimize installed extensions, and prefer open‑source or widely audited extensions.
- Consider efficiency improvements and pre‑rendering/static generation to reduce per‑page CPU costs and mitigate bot/AI traffic spikes.
- Follow Chrome 145 adoption if your web apps rely on cookies; plan server changes if you want device‑bound sessions.
Main speakers / primary sources
- Steve Gibson (host, technical expert) — Gibson Research Corporation (GRC)
- Leo Laporte (co‑host)
- Research & reporting referenced: ETH Zurich researchers; DigiCert; IdenTrust; CA/Browser Forum baseline requirements; Google Threat Intelligence Group (GTIG); LayerX; Koi Security; Stairwell Security; Linux Mint blog; Paragon/Graphite leak; various news/editorials (including Risky Business).
Category
Technology
Share this summary
Is the summary off?
If you think the summary is inaccurate, you can reprocess it with the latest model.
Preparing reprocess...