Security Now Episode 1071: Critical Cybersecurity Issues and Vulnerabilities

This episode of Security Now covers several critical cybersecurity issues, starting with a deep dive into a major security flaw in H&R Block’s tax preparation software. The episode reveals that H&R Block’s Business 2025 software installs a root certificate authority (CA) on users’ computers, along with its private key, which is a severe security risk. A root CA is a trusted entity that verifies the authenticity of websites and software by signing digital certificates. Normally, the private key for a root CA is kept highly secure because anyone with access to it can create fraudulent certificates that appear legitimate. In this case, H&R Block not only installed a root CA with a 23-year expiration date but also left its private key exposed in a DLL file, allowing anyone to generate trusted certificates for malicious purposes. This means attackers could intercept encrypted traffic, impersonate websites like Google or Microsoft, or even sign malicious software that would be trusted by users’ computers. The episode explains how this could be done securely—by generating unique, short-lived certificates during installation and immediately discarding the private key—but H&R Block’s approach was reckless and left users vulnerable long after uninstalling the software. The practical implication is that users of this software may have unknowingly exposed themselves to man-in-the-middle attacks, where an attacker could spy on or alter their internet traffic. The episode also discusses a cyberattack on Intoxalock, a company that provides court-mandated breathalyzer devices for vehicles. These devices require periodic calibration to ensure accuracy, and the calibration process relies on cloud-based systems. When Intoxalock’s systems were taken offline by a cyberattack, drivers with these devices were unable to recalibrate them, effectively locking them out of their cars. This situation highlights the growing intersection of cybersecurity and physical safety, as a digital attack directly impacted people’s ability to drive. The episode speculates that the attack may have been ransomware, which could have also exposed sensitive data about drivers under court supervision for alcohol-related offenses. This raises serious privacy concerns, as such data could be used for blackmail or other malicious purposes. The incident underscores the risks of relying on centralized, cloud-dependent systems for critical functions, especially when those systems handle highly sensitive personal information. Another topic explored is the concept of "bucket squatting," a security vulnerability involving Amazon Web Services (AWS) storage buckets. The episode explains that AWS allows users to create publicly accessible storage containers called "buckets," which are often used to host websites or store data. However, if a bucket is not properly secured, attackers can "squat" on its name by creating a similarly named bucket and redirecting traffic intended for the original bucket. This can lead to phishing attacks, data theft, or the distribution of malicious content. The episode emphasizes the importance of securing cloud storage by setting proper access controls and monitoring for unauthorized use. This issue is particularly relevant for businesses that rely on cloud services, as misconfigured buckets can expose sensitive data or enable attackers to impersonate legitimate services. The episode also touches on Firefox’s introduction of a free built-in VPN, which aims to enhance user privacy by encrypting internet traffic. While this is a positive development for security-conscious users, the episode cautions that VPNs are not a silver bullet for privacy. Users still need to be aware of the limitations, such as the fact that the VPN provider can see their traffic, and that VPNs do not protect against all types of surveillance or malware. The discussion serves as a reminder that while tools like VPNs can improve security, they must be used as part of a broader strategy that includes strong passwords, software updates, and safe browsing habits. Finally, the episode briefly mentions other security news, including a critical vulnerability in Cisco and Ubiquiti networking equipment, which received the highest severity rating (CVSS 10.0). Such vulnerabilities can allow attackers to take full control of affected devices, making them a prime target for exploitation. The episode also notes that Russian citizens are pushing for the return of messaging apps like Telegram and WhatsApp, which were banned by the government. This highlights the tension between government control and individual privacy, as well as the challenges of enforcing digital restrictions in an interconnected world.