Topic: Security

Security Now episode 1061, recorded on January 20th, 2026, features discussions on the return of Ghost Poster, malicious browser extensions, and the impact of RAM pricing on PCs and enterprise networking equipment. Other topics include FTC actions against General Motors, Germany's planned internet surveillance legislation, Grubhub's extortion by Shiny Hunters, and the availability of six-day certificates from Let's Encrypt.

Anthropic has invested $1.5 million in the Python Software Foundation (PSF) over two years, focusing on Python ecosystem security. This strategic investment will fund security advances for CPython and PyPy, including new tools for automated, proactive review of all packages uploaded to PyPi to combat supply chain attacks. Python is recognized as the primary language of AI, making this a crucial partnership.

The Department of Homeland Security (DHS) is finalizing plans for ANCHOR (Alliance of National Councils for Homeland Operational Resilience), a new body to replace the Critical Infrastructure Partnership Advisory Council (CIPAC). ANCHOR aims to serve as a communication hub between industry and government for discussing threats to US critical infrastructure, including cyberattacks. A key focus is re-establishing liability protections for industry executives to encourage open dialogue without fear of government reprisals, a feature that was central to CIPAC.

Let's Encrypt has made short-lived and IP address certificates generally available, valid for 160 hours (just over six days). These opt-in certificates aim to improve security by requiring more frequent validation and reducing reliance on unreliable revocation mechanisms. While the default certificate lifetime will gradually shorten from 90 to 45 days, the necessity of these shorter-lived certificates is questioned, especially given the perceived robustness of modern revocation systems and encryption.

Michael Wright raised concerns about MongoDB servers being publicly accessible in cloud deployments, often due to users' lack of understanding of cloud security implications. This mirrors early Cisco routers, which had services enabled by default, assuming expert users would secure them. The issue highlights a pervasive problem in the industry where assumptions about user knowledge lead to significant vulnerabilities.

GhostPoster refers to a campaign of malicious browser extensions that use steganography within PNG icon files to deliver obscured JavaScript payloads. Initially discovered by Koi Security affecting Firefox users, LayerX later found 17 additional extensions targeting Edge and Chrome, with over 840,000 downloads and installations, some active for up to five years. These extensions perform actions like hijacking affiliate traffic, click fraud, and injecting malicious scripts, highlighting the challenge of detecting stealthy malware.

Leo Laporte and Steve Gibson conclude Security Now, inviting listeners to tune in live on Tuesdays or access the podcast and show notes at GRC.com. Steve's website also offers the 16kb and 64kb audio versions, human-written transcripts, SpinRite, and the new DNS Benchmark Pro. Listeners are encouraged to subscribe to the free podcast and participate in the annual Twit survey at Twit.tv/survey26.