“Snakes in airplane mode” – what if your phone says it’s offline but isn’t?

By: Paul Ducklin — August 21^st 2023 at 17:45

WYSIWYG is short for "what you see is what you get". Except when it isn't...

Naked Security

S3 Ep146: Tell us about that breach! (If you want to.)

By: Paul Ducklin — August 3^rd 2023 at 17:56

Serious security stories explained clearly in plain English - listen now. (Full transcript available.)

Naked Security

S3 Ep145: Bugs With Impressive Names!

By: Paul Ducklin — July 27^th 2023 at 16:47

Fascinating fun (with a serious and educational side) - listen now! Full transcript available inside.

Naked Security

S3 Ep136: Navigating a manic malware maelstrom

By: Paul Ducklin — May 25^th 2023 at 16:50

Latest episode - listen now. Full transcript inside...

Naked Security

PyPI open-source code repository deals with manic malware maelstrom

By: Paul Ducklin — May 23^rd 2023 at 16:45

Controlled outage used to keep malware marauders from gumming up the works. Learn what you can do to help in future...

Naked Security

Zut alors! Raclage crapuleux! Clearview AI in 20% more trouble in France

By: Paul Ducklin — May 15^th 2023 at 16:36

We asked you once, we told you twice, now we're ordering you for the third time...

Naked Security

PHP Packagist supply chain poisoned by hacker “looking for a job”

By: Paul Ducklin — May 5^th 2023 at 16:59

I pwned you! Gizza job! You know it makes sense!

Naked Security

Tracked by hidden tags? Apple and Google unite to propose safety and security standards…

By: Paul Ducklin — May 3^rd 2023 at 19:58

To bleat, or not to bleat, that is the question.

Naked Security

Attention gamers! Motherboard maker MSI admits to breach, issues “rogue firmware” alert

By: Paul Ducklin — April 11^th 2023 at 16:58

Stealing private keys is like getting hold of a medieval monarch's personal signet ring... you get to put an official seal on treasonous material.

Naked Security

S3 Ep129: When spyware arrives from someone you trust

By: Paul Ducklin — April 6^th 2023 at 14:57

Scanning tools, supply-chain malware, Wi-Fi hacking, and why there should be TWO World Backup Days... listen now!

Naked Security

Supply chain blunder puts 3CX telephone app users at risk

By: Paul Ducklin — March 30^th 2023 at 17:36

Booby-trapped app, apparently signed and shipped by 3CX itself after its source code repository was broken into.

Naked Security

NPM JavaScript packages abused to create scambait links in bulk

By: Paul Ducklin — February 22^nd 2023 at 18:59

Free spins? Bonus game points? Cheap social media followers? What harm could it possibly do if you just take a tiny little look?!

Naked Security

PyTorch: Machine Learning toolkit pwned from Christmas to New Year

By: Paul Ducklin — January 1^st 2023 at 21:36

The bad news: the crooks have your SSH private keys. The good news: only users of the "nightly" build were affected.

Naked Security

S3 Ep113: Pwning the Windows kernel – the crooks who hoodwinked Microsoft [Audio + Text]

By: Paul Ducklin — December 15^th 2022 at 17:10

Return o' the rookit, super-sneaky wireless spyware, credit card skimming, and patches galore. Listen and learn!

Naked Security

COVID-bit: the wireless spyware trick with an unfortunate name

By: Paul Ducklin — December 13^th 2022 at 17:58

It's not the switching that's the problem, it's the switching of the switching!

ind-1200

Naked Security

TikTok “Invisible Challenge” porn malware puts us all at risk

By: Paul Ducklin — November 29^th 2022 at 17:58

An injury to one is an injury to all. Especially if the other people are part of your social network.

Naked Security

“Gucci Master” business email scammer Hushpuppi gets 11 years

By: Naked Security writer — November 14^th 2022 at 16:24

Learn how to protect yourself from big-money tricksters like the Hushpuppis of the world...

puppi-car-1200

Naked Security

S3 Ep106: Facial recognition without consent – should it be banned?

By: Paul Ducklin — October 27^th 2022 at 16:59

Latest episode - listen (or read) now. Teachable moments for X-Ops professionals!

Naked Security

Clearview AI image-scraping face recognition service hit with €20m fine in France

By: Paul Ducklin — October 26^th 2022 at 00:50

"We told you to stop but you ignored us," said the French regulator, "so now we're coming after you again."

Naked Security

S3 Ep98: The LastPass saga – should we stop using password managers? [Audio + Text]

By: Paul Ducklin — September 1^st 2022 at 16:55

Latest episode - listen now!

Naked Security

Breaching airgap security: using your phone’s gyroscope as a microphone

By: Paul Ducklin — August 24^th 2022 at 18:59

One bit per second makes the Voyager probe data rate seem blindingly fast. But it's enough to break your security assumptions...

Naked Security

Apple patches double zero-day in browser and kernel – update now!

By: Paul Ducklin — August 17^th 2022 at 23:33

Double 0-day exploits - one in WebKit (to break in) and the other in the kernel (to take over). Patch now!

Naked Security

GitHub blighted by “researcher” who created thousands of malicious projects

By: Paul Ducklin — August 3^rd 2022 at 23:06

If you spew projects laced with hidden malware into an open source repository, don't waste your time telling us "no harm done" afterwards.

Naked Security

Murder suspect admits she tracked cheating partner with hidden AirTag

By: Paul Ducklin — June 14^th 2022 at 16:49

O! What a tangled web we weave, when first we practise to deceive.

Naked Security

Poisoned Python and PHP packages purloin passwords for AWS access

By: Paul Ducklin — May 24^th 2022 at 23:04

More supply chain trouble - this time with clear examples so you can learn how to spot this stuff yourself.

Naked Security

Clearview AI face-matching service fined a lot less than expected

By: Paul Ducklin — May 23^rd 2022 at 13:01

The fine has finally gone through... but it's less than 45% of what was originally proposed.

eleceye-1200

Naked Security

RubyGems supply chain rip-and-replace bug fixed – check your logs!

By: Paul Ducklin — May 9^th 2022 at 15:41

Imagine if you could assume the identity of, say, Franklin Delano Roosevelt simply by showing up and calling yourself "Frank".

ruby-1200

Naked Security

GitHub issues final report on supply-chain source code intrusions

By: Paul Ducklin — April 29^th 2022 at 16:15

Learn how to find out which apps you've given access rights to, and how to revoke those rights immediately in an emergency.

Naked Security

Beanstalk cryptocurrency heist: scammer votes himself all the money

By: Paul Ducklin — April 19^th 2022 at 16:00

Voting safeguards based on commuity collateral don't work if one person can use a momentary loan to "become" 75% of the community.

Naked Security

S3 Ep72: AirTag stalking, web server coding woes and Instascams [Podcast + Transcript]

By: Paul Ducklin — March 3^rd 2022 at 14:04

Latest episode - listen now (or read it, if that's your preference)...

Naked Security

Apple AirTag anti-stalking protection bypassed by researchers

By: Paul Ducklin — February 23^rd 2022 at 17:59

Problems with Apple's Tracker Detect system, which warns you of likely stalking attempts using hidden AirTags.

Naked Security

Wormhole cryptotrading company turns over $340,000,000 to criminals

By: Paul Ducklin — February 4^th 2022 at 17:38

It was the best of blockchains, it was the worst of blockchains... as Charles Dickens might have said.

Naked Security

S3 Ep65: Supply chain conniption, NetUSB hole, Honda flashback, FTC muscle [Podcast + Transcript]

By: Paul Ducklin — January 13^th 2022 at 15:26

Latest episode -listen to it or read it now!

Naked Security

JavaScript developer destroys own projects in supply chain “lesson”

By: Paul Ducklin — January 11^th 2022 at 00:54

Two popular open source JavaScript packages recently got "hacked" in a symbolic gesture by the original project creator.

Naked Security

S3 Ep63: Log4Shell (what else?) and Apple kernel bugs [Podcast+Transcript]

By: Paul Ducklin — December 16^th 2021 at 17:41

Latest episode - listen now! (Yes, there are plenty of critical things to go along with Log4Shell.)

Naked Security

S3 Ep61: Call scammers, cloud insecurity, and facial recognition creepiness [Podcast+Transcript]

By: Paul Ducklin — December 2^nd 2021 at 20:50

Latest episode - listen now!

Naked Security

Clearview AI face-matching service set to be fined over $20m

By: Paul Ducklin — November 30^th 2021 at 19:13

Scraping data for a facial recognition service? "That's unlawful", concluded both the British and the Australians.

Naked Security

Samba update patches plaintext password plundering problem

By: Paul Ducklin — November 12^th 2021 at 17:59

When Microsoft itself says STOP USING X, where X is one of its own protocols... we think you should listen.

Naked Security

Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!

By: Paul Ducklin — November 9^th 2021 at 12:31

The crooks have shown that they're willing to learn and adapt their attacks, so we need to make sure we learn and adapt, too.