WooCommerce Payments plugin for WordPress has an admin-level hole – patch now!

Admin-level holes in websites are always a bad thing... and for "bad", read "worse" if it's an e-commerce site.

S3 Ep127: When you chop someone out of a photo, but there they are anyway…

Listen now - latest episode. Full transcript inside.

Windows 11 also vulnerable to “aCropalypse” image data leakage

Turns out that the Windows 11 Snipping Tool has the same "aCropalypse" data leakage bug as Pixel phones. Here's how to work around the problem...

Google Pixel phones had a serious data leakage bug – here’s what to do!

What if the "safe" images you shared after carefully cropping them... had some or all of the "unsafe" pixels left behind anyway?

Bitcoin ATM customers hacked by video upload that was actually an app

As the misquote goes, "Once is misfortune..." This is the second time, and you know what Lady Bracknell had to say about that...

Dangerous Android phone 0-day bugs revealed – patch or work around them now!

Despite its usually inflexible 0-day disclosure policy, Google is keeping four mobile modem bugs semi-secret due to likely ease of exploitation.

S3 Ep 126: The price of fast fashion (and feature creep) [Audio + Text]

Worried about rogue apps? Unsure about the new Outlook zero-day? Clear advice in plain English... just like old times, with Duck and Chet!

Microsoft fixes two 0-days on Patch Tuesday – update now!

An email you haven't even looked at yet could be used to trick Outlook into helping crooks to logon as you.

Firefox 111 patches 11 holes, but not 1 zero-day among them…

In the game of cricket, 111 is an inauspicious number, but for Firefox, there doesn't seem to be much to worry about this month.

Linux gets double-quick double-update to fix kernel Oops!

Linux doesn't BSoD. It has oopses and panics instead. (We show you how to make a kernel module to explore further.)

SHEIN shopping app goes rogue, grabs price and URL data from your clipboard

It's not exactly data theft, but it's worryingly close to "unintentional treachery" - apparently because it's great for marketing purposes

S3 Ep125: When security hardware has security holes [Audio + Text]

Lastest episode - listen now! (Full transcript inside.)

Serious Security: TPM 2.0 vulns – is your super-secure data at risk?

Security bugs in the very code you've been told you must have to improve the security of your computer...

DoppelPaymer ransomware supsects arrested in Germany and Ukraine

Devices seized, suspects interrogated and arrested, allegedly connected to devastating cyberattack on University Hospital in Düsseldorf.

Feds warn about right Royal ransomware rampage that runs the gamut of TTPs

Wondering which cybercrime tools, techniques and procedures to focus on? How about any and all of them?

S3 Ep124: When so-called security apps go rogue [Audio + Text]

Rogue software packages. Rogue "sysadmins". Rogue keyloggers. Rogue authenticators. Rogue ROGUES!

LastPass: Keylogger on home PC led to cracked corporate password vault

Seems the crooks implanted a keylogger via a vulnerable media app (LastPass politely didn't say which one!) on a developer's home computer.

Dutch police arrest three cyberextortion suspects who allegedly earned millions

Ever paid hush money to crooks who broke into your network? Wondered how much you can trust them?

Beware rogue 2FA apps in App Store and Google Play – don’t get hacked!

Even in Apple's and Google's "walled gardens", there are plenty of 2FA apps that are either dangerously incompetent, or unrepentantly malicious. (Or perhaps both.)

S3 Ep123: Crypto company compromise kerfuffle [Audio + Text]

Latest episode - listen now! Top-notch advice for cybersecurity, both at work and at home.

NPM JavaScript packages abused to create scambait links in bulk

Free spins? Bonus game points? Cheap social media followers? What harm could it possibly do if you just take a tiny little look?!

Coinbase breached by social engineers, employee data stolen

Another day, another "sophisticated" attack. This time, the company has handily included some useful advice along with its mea culpa...

Twitter tells users: Pay up if you want to keep using insecure 2FA

Ironically, Twitter Blue users will be allowed to keep using the very 2FA process that's not considered secure enough for everyone else.

GoDaddy admits: Crooks hit us with malware, poisoned customer websites

New report admits that attackers were detected in the network about three months ago, and may have been attacking for about three years.

S3 Ep122: Stop calling every breach “sophisticated”! [Audio + Text]

Latest episode - listen now! (Full transcript inside.)

Microsoft Patch Tuesday: 36 RCE bugs, 3 zero-days, 75 CVEs

Lots of lovely patches for your Valentine's Day delight. Get 'em as soon as you can...

Apple fixes zero-day spyware implant bug – patch now!

Everyone update now! Except for those who don't need to! Or who need to but will only get updates later on, though Apple isn't saying yet!

Serious Security: GnuTLS follows OpenSSL, fixes timing attack bug

Conditional code considered cryptographically counterproductive.

Reddit admits it was hacked and data stolen, says “Don’t panic”

Reddit is suggesting three tips as a follow-up to this breach. We agree with two of them but not with the third...

S3 Ep121: Can you get hacked and then prosecuted for it? [Audio + Text]

Latest epsiode. Listen now!

OpenSSL fixes High Severity data-stealing bug – patch now!

7 memory mismanagements and a timing attack. We explain all the jargon bug terminology in plain English...

VMWare user? Worried about “ESXi ransomware”? Check your patches now!

To borrow from HHGttG, please DON'T PANIC. But if you are two years out of date with patches, please do ACT NOW!

Tracers in the Dark: The Global Hunt for the Crime Lords of Crypto

Hear renowned cybersecurity author Andy Greenberg's thoughtful commentary about the "war on crypto" as we talk to him about his new book...

Finnish psychotherapy extortion suspect arrested in France

Company transcribed ultra-personal conversations, didn't secure them. Criminal stole them, then extorted thousands of vulnerable patients.

OpenSSH fixes double-free memory bug that’s pokable over the network

It's a bug fix for a bug fix. A memory leak was turned into a double-free that has now been turned into correct code...

S3 Ep120: When dud crypto simply won’t let go [Audio + Text]

Latest episode - listen now!

Password-stealing “vulnerability” reported in KeePass – bug or feature?

Is it a vulnerability if someone with control over your account can mess with files that your account is allowed to access anyway?

GitHub code-signing certificates stolen (but will be revoked this week)

There was a breach, so the bad news isn't great, but the good news isn't too bad...

Serious Security: The Samba logon bug caused by outdated crypto

Enjoy our Serious Security deep dive into this real-world example of why cryptographic agility is important!

Hive ransomware servers shut down at last, says FBI

Unfortunately, you've probably already heard the cliche that "cybercrime abhors a vacuum"...

Dutch suspect locked up for alleged personal data megathefts

Undercover Austrian "controlled data buy" leads to Amsterdam arrest and ongoing investigation. Suspect is said to steal and sell all sorts of data, including medical records.

S3 Ep119: Breaches, patches, leaks and tweaks! [Audio + Text]

Lastest episode - listen now! (Or read the transcript.)

GoTo admits: Customer cloud backups stolen together with decryption key

We were going to write, "Once more unto the breach, dear friends, once more"... but it seems to go without saying these days.

Apple patches are out – old iPhones get an old zero-day fix at last!

Don't delay, especially if you're still running an iOS 12 device... please do it today!

Serious Security: How dEliBeRaTe tYpOs might imProVe DNS security

It's a really cool and super-simple trick. The question is, "Will it help?"

T-Mobile admits to 37,000,000 customer records stolen by “bad actor”

Once more, it's time for Shakespeare's words: Once more unto the breach...

S3 Ep118: Guess your password? No need if it’s stolen already! [Audio + Text]

As always: entertaining, informative and educational... and not bogged down with jargon! Listen (or read) now...

Serious Security: Unravelling the LifeLock “hacked passwords” story

Four straight-talking tips to improve your online security, whether you're a LifeLock customer or not.

Multi-million investment scammers busted in four-country Europol raid

216 questioned, 15 arrested, 4 fake call centres searched, millions seized...

S3 Ep117: The crypto crisis that wasn’t (and farewell forever to Win 7) [Audio + Text]

Tell us in the comments... What's the REAL reason there was no Windows 9? (No theory too far-fetched!)

Microsoft Patch Tuesday: One 0-day; Win 7 and 8.1 get last-ever patches

Get 'em while they're hot. And get 'em for the very last time, if you still have Windows 7 or 8.1...

Popular JWT cloud security library patches “remote” code execution hole

It's remotely triggerable, but attackers would already have pretty deep network access if they could "prime" your server for compromise.

CircleCI – code-building service suffers total credential compromise

They're saying "rotate secrets"... in plain English, they mean "change your credentials". The company has a tool to help you find them all.

RSA crypto cracked? Or perhaps not!

Stand down from blue alert, it seems... but why not plan your cryptographic agility anyway?

S3 Ep116: Last straw for LastPass? Is crypto doomed? [Audio + Text]

Lots of big issues this week: breaches, encryption, supply chains and patching problems. Listen now! (Full transcript inside.)

Serious Security: How to improve cryptography, resist supply chain attacks, and handle data breaches

Lessons for us all: improve cryptography, fight cybercrime, own your supply chain... and don't steal my data and then pretend you're sorry.

Inside a scammers’ lair: Ukraine busts 40 in fake bank call-centre raid

When someone calls you up to warn you that your bank account is under attack - it's true, because THAT VERY PERSON is the one attacking you!

PyTorch: Machine Learning toolkit pwned from Christmas to New Year

The bad news: the crooks have your SSH private keys. The good news: only users of the "nightly" build were affected.

Naked Security 33 1/3 – Cybersecurity predictions for 2023 and beyond

The problem with anniversaries is that there's an almost infinite number of them every day...

The horror! The horror! NOTEPAD gets tabbed editing (very briefly)

Is there a special meaning of "don't" that means "go right ahead"?