“Snakes in airplane mode” – what if your phone says it’s offline but isn’t?

By: Paul Ducklin — August 21^st 2023 at 17:45

WYSIWYG is short for "what you see is what you get". Except when it isn't...

Naked Security

S3 Ep142: Putting the X in X-Ops

By: Paul Ducklin — July 6^th 2023 at 17:58

How to get all your corporate "Ops" teams working together, with cybersecurity correctness as a guiding light.

s3-ep100-js-1200

Naked Security

S3 Ep141: What was Steve Jobs’s first job?

By: Paul Ducklin — June 29^th 2023 at 16:58

Latest episode - listen now! (Full transcript inside.)

Naked Security

Aussie PM says, “Shut down your phone every 24 hours for 5 mins” – but that’s not enough on its own

By: Paul Ducklin — June 23^rd 2023 at 16:10

Don't treat rebooting your phone once a day as a cybersecurity talisman... here are 8 additional tips for better mobile phone security.

Naked Security

Beware bad passwords as attackers co-opt Linux servers into cybercrime

By: Paul Ducklin — June 21^st 2023 at 17:50

Did you prevent password-only logins on your SSH servers? On ALL of them? Are you sure about that?

Naked Security

S3 Ep139: Are password rules like running through rain?

By: Paul Ducklin — June 15^th 2023 at 16:43

Latest episode - listen now! (Full transcript inside.)

Naked Security

Gozi banking malware “IT chief” finally jailed after more than 10 years

By: Paul Ducklin — June 13^th 2023 at 16:43

Gozi threesome from way back in the late 2000s and early 2010s now all charged, convicted and sentenced. The DOJ got there in the end...

Naked Security

S3 Ep136: Navigating a manic malware maelstrom

By: Paul Ducklin — May 25^th 2023 at 16:50

Latest episode - listen now. Full transcript inside...

Naked Security

PyPI open-source code repository deals with manic malware maelstrom

By: Paul Ducklin — May 23^rd 2023 at 16:45

Controlled outage used to keep malware marauders from gumming up the works. Learn what you can do to help in future...

Naked Security

S3 Ep133: Apple takes “tight-lipped” to a whole new level

By: Paul Ducklin — May 4^th 2023 at 20:59

Entertaining, educational, and all in plain English 🎧📖

Naked Security

Mac malware-for-hire steals passwords and cryptocoins, sends “crime logs” via Telegram

By: Paul Ducklin — April 30^th 2023 at 01:23

These malware peddlers are specifically going after Mac users. The hint's in the name: "Atomic macOS Stealer", or AMOS for short.

Naked Security

Attention gamers! Motherboard maker MSI admits to breach, issues “rogue firmware” alert

By: Paul Ducklin — April 11^th 2023 at 16:58

Stealing private keys is like getting hold of a medieval monarch's personal signet ring... you get to put an official seal on treasonous material.

Naked Security

S3 Ep129: When spyware arrives from someone you trust

By: Paul Ducklin — April 6^th 2023 at 14:57

Scanning tools, supply-chain malware, Wi-Fi hacking, and why there should be TWO World Backup Days... listen now!

Naked Security

Supply chain blunder puts 3CX telephone app users at risk

By: Paul Ducklin — March 30^th 2023 at 17:36

Booby-trapped app, apparently signed and shipped by 3CX itself after its source code repository was broken into.

Naked Security

LastPass: Keylogger on home PC led to cracked corporate password vault

By: Paul Ducklin — February 28^th 2023 at 02:23

Seems the crooks implanted a keylogger via a vulnerable media app (LastPass politely didn't say which one!) on a developer's home computer.

Naked Security

Beware rogue 2FA apps in App Store and Google Play – don’t get hacked!

By: Paul Ducklin — February 27^th 2023 at 02:10

Even in Apple's and Google's "walled gardens", there are plenty of 2FA apps that are either dangerously incompetent, or unrepentantly malicious. (Or perhaps both.)

Naked Security

S3 Ep123: Crypto company compromise kerfuffle [Audio + Text]

By: Paul Ducklin — February 23^rd 2023 at 17:58

Latest episode - listen now! Top-notch advice for cybersecurity, both at work and at home.

Naked Security

GoDaddy admits: Crooks hit us with malware, poisoned customer websites

By: Paul Ducklin — February 20^th 2023 at 01:36

New report admits that attackers were detected in the network about three months ago, and may have been attacking for about three years.

Naked Security

Microsoft Patch Tuesday: One 0-day; Win 7 and 8.1 get last-ever patches

By: Paul Ducklin — January 11^th 2023 at 00:22

Get 'em while they're hot. And get 'em for the very last time, if you still have Windows 7 or 8.1...

Naked Security

Serious Security: How to improve cryptography, resist supply chain attacks, and handle data breaches

By: Paul Ducklin — January 4^th 2023 at 19:50

Lessons for us all: improve cryptography, fight cybercrime, own your supply chain... and don't steal my data and then pretend you're sorry.

Naked Security

PyTorch: Machine Learning toolkit pwned from Christmas to New Year

By: Paul Ducklin — January 1^st 2023 at 21:36

The bad news: the crooks have your SSH private keys. The good news: only users of the "nightly" build were affected.

Naked Security

S3 Ep115: True crime stories – A day in the life of a cybercrime fighter [Audio + Text]

By: Paul Ducklin — December 29^th 2022 at 09:20

Listen now - you'll be alarmed, amused and educated, all in equal measure. (Full transcript in article.)

Naked Security

S3 Ep114: Preventing cyberthreats – stop them before they stop you! [Audio + Text]

By: Paul Ducklin — December 22^nd 2022 at 17:56

Join world-renowned expert Fraser Howard, Director of Research at SophosLabs, for this fascinating episode on how to fight cybercrime.

Naked Security

S3 Ep113: Pwning the Windows kernel – the crooks who hoodwinked Microsoft [Audio + Text]

By: Paul Ducklin — December 15^th 2022 at 17:10

Return o' the rookit, super-sneaky wireless spyware, credit card skimming, and patches galore. Listen and learn!

Naked Security

S3 Ep112: Data breaches can haunt you more than once! [Audio + Text]

By: Paul Ducklin — December 9^th 2022 at 16:46

Breaches, exploits, busts, buffer overflows and bug hunting - entertaining and educational in equal measure.

Naked Security

Credit card skimming – the long and winding road of supply chain failure

By: Paul Ducklin — December 8^th 2022 at 17:58

Don't keep calling home to a JavaScript server that closed its doors eight years ago!

Naked Security

S3 Ep111: The business risk of a sleazy “nudity unfilter” [Audio + Text]

By: Paul Ducklin — December 1^st 2022 at 17:58

Latest episode - listen now (or read if you prefer)...

Naked Security

The CHRISTMA EXEC network worm – 35 years and counting!

By: Paul Ducklin — December 1^st 2022 at 20:35

"Uh-oh, this viruses-and-worms scene could turn out quite troublesome." If only we'd been wrong...

xmas-1200-35-wide

Naked Security

TikTok “Invisible Challenge” porn malware puts us all at risk

By: Paul Ducklin — November 29^th 2022 at 17:58

An injury to one is an injury to all. Especially if the other people are part of your social network.

Naked Security

Multimillion dollar CryptoRom scam sites seized, suspects arrested in US

By: Paul Ducklin — November 23^rd 2022 at 19:58

Five tips to keep yourself, and your friends and family, out of the clutches of "chopping block" scammers...

cryptorom-1200

Naked Security

S3 Ep107: Eight months to kick out the crooks and you think that’s GOOD? [Audio + Text]

By: Paul Ducklin — November 3^rd 2022 at 17:51

Listen now - latest episode - audio plus full transcript

Naked Security

Online ticketing company “See” pwned for 2.5 years by attackers

By: Paul Ducklin — October 26^th 2022 at 16:58

Don't be a cybersecurity slowcoach - you need to spot possible attacks as soon as you can.

Naked Security

WhatsApp goes after Chinese password scammers via US court

By: Paul Ducklin — October 7^th 2022 at 16:14

If you can't beat 'em, sue 'em!

Naked Security

Interested in cybersecurity? Join us for Security SOS Week 2022!

By: Paul Ducklin — September 21^st 2022 at 14:24

Four one-on-one interviews with experts who are passionate about sharing their expertise with the community.

Naked Security

S3 Ep96: Zoom 0-day, AEPIC leak, Conti reward, healthcare security [Audio + Text]

By: Paul Ducklin — August 18^th 2022 at 14:38

Latest episode - listen now (or read if you prefer!)

Naked Security

Apple patches double zero-day in browser and kernel – update now!

By: Paul Ducklin — August 17^th 2022 at 23:33

Double 0-day exploits - one in WebKit (to break in) and the other in the kernel (to take over). Patch now!

Naked Security

S3 Ep95: Slack leak, Github onslaught, and post-quantum crypto [Audio + Text]

By: Paul Ducklin — August 11^th 2022 at 14:34

Latest episode - listen now! (Or read the transcript if you prefer.)

Naked Security

GitHub blighted by “researcher” who created thousands of malicious projects

By: Paul Ducklin — August 3^rd 2022 at 23:06

If you spew projects laced with hidden malware into an open source repository, don't waste your time telling us "no harm done" afterwards.

Naked Security

Office macro security: on-again-off-again feature now BACK ON AGAIN!

By: Paul Ducklin — July 23^rd 2022 at 01:10

20 years to turn it on, then 20 weeks to turn it off, then just 2 weeks to turn it back on again. That's progress!

Naked Security

Last member of Gozi malware troika arrives in US for criminal trial

By: Paul Ducklin — July 20^th 2022 at 14:56

His co-conspirators went into and got out of prison years ago, while he remained free. Now the tables have turned...

Naked Security

8 months on, US says Log4Shell will be around for “a decade or longer”

By: Paul Ducklin — July 18^th 2022 at 16:57

When it comes to cybersecurity, ask not what everyone else can do for you...

Naked Security

S3 Ep91: CodeRed, OpenSSL, Java bugs, Office macros [Audio + Text]

By: Paul Ducklin — July 14^th 2022 at 18:47

Latest episode - listen now! Great discussion, technical content, solid advice... all covered in plain English.

Naked Security

That didn’t last! Microsoft turns off the Office security it just turned on

By: Paul Ducklin — July 11^th 2022 at 13:27

An Office anti-malware setting that took more than 20 years to arrive... and fewer than 20 weeks to vanish again.

Naked Security

S3 Ep88: Phone scammers, hacking bust, and data breach fines [Podcast + Transcript]

By: Paul Ducklin — June 23^rd 2022 at 11:08

Latest epsiode - listen (or read) now!

Naked Security

Capital One identity theft hacker finally gets convicted

By: Paul Ducklin — June 21^st 2022 at 15:24

It took three years, but the Capital One cracker was convicted in the end. Don't get caught out in a data breach of your own!

Naked Security

You’re invited! Join us for a live walkthrough of the “Follina” story…

By: Paul Ducklin — June 13^th 2022 at 16:28

Live demo, plain English, no sales pitch, just a chance to watch an attack dissected in safety. Join us if you can!

Naked Security

Poisoned Python and PHP packages purloin passwords for AWS access

By: Paul Ducklin — May 24^th 2022 at 23:04

More supply chain trouble - this time with clear examples so you can learn how to spot this stuff yourself.

Naked Security

S3 Ep80: Ransomware news, phishing woes, NAS bugs, and a giant hole in Java [Podcast]

By: Paul Ducklin — April 28^th 2022 at 13:18

Latest episode - listen now!

Naked Security

S3 Ep75: Okta hack, CryptoRom, OpenSSL, and CafePress [Podcast]

By: Paul Ducklin — March 24^th 2022 at 13:49

Latest episode - listen now!

Naked Security

Beware bogus Betas – cryptocoin scammers abuse Apple’s TestFlight system

By: Paul Ducklin — March 16^th 2022 at 15:49

"Install this moneymaking app" - this one is so special that it isn't available on Google Play or the App Store!

Naked Security

At last! Office macros from the internet to be blocked by default

By: Paul Ducklin — February 8^th 2022 at 16:34

It's been a long time coming, and we're not there yet, but at least Microsoft Office will be a bit safer against macro malware...

Naked Security

Microsoft blocks web installation of its own App Installer files

By: Paul Ducklin — February 7^th 2022 at 16:36

It's a big deal when a vendor decides to block one of its own "features" for security reasons. Here's why we think it's a good idea.

Naked Security

Firefox update brings a whole new sort of security sandbox

By: Paul Ducklin — December 7^th 2021 at 17:14

Firefox 95.0 is out, with the usual security fixes... plus some funky new ones.

Naked Security

Black Friday and Cyber Monday – here’s what you REALLY need to do!

By: Paul Ducklin — November 22^nd 2021 at 12:52

The world fills up with cybersecurity tips every year when Black Friday comes round. But what about the rest of the year?

Naked Security

S3 Ep59: Emotet, an FBI hoax, Samba bugs, and a hijackable suitcase [Podcast]

By: Paul Ducklin — November 18^th 2021 at 15:00

Latest episode - listen now!

Naked Security

Emotet malware: “The report of my death was an exaggeration”

By: Paul Ducklin — November 16^th 2021 at 14:13

"Old malware rarely dies." The best way to predict the future is to look at the past... if it worked before, it will probably work again.

Naked Security

Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!

By: Paul Ducklin — November 9^th 2021 at 12:31

The crooks have shown that they're willing to learn and adapt their attacks, so we need to make sure we learn and adapt, too.

Naked Security

“Customer complaint” email scam preys on your fear of getting into trouble at work

By: Paul Ducklin — November 5^th 2021 at 17:49

Stop. Think. Connect. Don't let the crooks trick you into acting in haste.