VMware fixes holes that could allow virtual machine escapes

Hats off to VMware for not using weasel words: "When should you act?" Immediately...

Google announces zero-day in Chrome browser – update now!

Zero-day buses: none for a while, then three at once. Here's Google joining Apple and Adobe in "zero-day week"

Adobe fixes zero-day exploit in e-commerce code: update now!

There's a remote code execution hole in Adobe e-commerce products - and cybercrooks are already exploiting it.

Power company pays out $3 trillion compensation to astonished customer

More money than the UK's economy produces in a year!

Apple zero-day drama for Macs, iPhones and iPads – patch now!

Sudden update! Zero-day browser hole! Drive-by malware danger! Patch Apple laptops and phones now...

S3 Ep69: WordPress woes, Wormhole holes, and a Microsoft change of heart [Podcast + Transcript]

Latest episode - listen now!

Self-styled “Crocodile of Wall Street” arrested with husband over Bitcoin megaheist

The cops say they've recovered 80% of a $72 million cryptocoin heist... but the recovered funds alone are now worth over $4 billion!

At last! Office macros from the internet to be blocked by default

It's been a long time coming, and we're not there yet, but at least Microsoft Office will be a bit safer against macro malware...

Microsoft blocks web installation of its own App Installer files

It's a big deal when a vendor decides to block one of its own "features" for security reasons. Here's why we think it's a good idea.

Wormhole cryptotrading company turns over $340,000,000 to criminals

It was the best of blockchains, it was the worst of blockchains... as Charles Dickens might have said.

S3 Ep68: Bugs, scams, privacy …and fonts?! [Podcast + Transcript]

Latest episode - listen now!

Elementor WordPress plugin has a gaping security hole – update now

We shouldn't need to say, "Check your inputs!" these days, but we're saying it anyway.

Linux kernel patches “performance can be harmful” bug in video driver

This bug is fiendishly hard to exploit - but if you patch, it won't be there to exploit at all.

Website operator fined for using Google Fonts “the cloudy way”

Google Fonts are OK, it seems, but only if everyone keeps their own copy of the fonts they use.

Coronavirus SMS scam offers home PCR testing devices – don’t fall for it!

Free home PCR devices would be technological marvels, and really useful, too. But there aren't any...

Happy Data Privacy Day – and we really do mean “happy” :-)

We give you some simple digital lifesytle tips that cost nothing.

Apple fixes Safari data leak (and patches a zero-day!) – update now

That infamous "supercookie" bug in Safari has now been fixed. Oh, and there was a zero-day kernel hole as well.

S3 Ep67: Tax scams, carder busts and crypto capers [Podcast + Transcript]

Latest episode - listen now!

“PwnKit” security bug gets you root on most Linux distros – what to do

An elevation of privilege bug that could let a "mostly harmless" user give themselves a instant root shell

Tax scam emails are alive and well as US tax season starts

If in doubt, don't give it out! (And don't forget that no reply is often a good reply.)

Alleged carder gang mastermind and three acolytes under arrest in Russia

The motto of the gang was "In Fraud We Trust", and they went by a dizzying range of online nicknames.

Cryptocoin broker Crypto.com says 2FA bypass led to $35m theft

The company has put out a brief security report that summarises the 'what', but not yet the 'how' or 'why'.

S3 Ep66: Cybercrime busts, wormable Windows, and the crisis of featuritis [Podcast + Transcript]

Latest epsiode - listen now!

Serious Security: Apple Safari leaks private data via database API – what you need to know

There's a tiny data leakage bug in the WebKit browser engine... but it could act as a "supercookie" identifier for your browsing

Romance scammer who targeted 670 women gets 28 months in jail

Found love online? Sending them money? Friends and family warning you it could be a scam? Don't be too quick to dismiss their concerns...

Serious Security: Linux full-disk encryption bug fixed – patch now!

Imagine if someone who didn't have your password could sneakily modify data that was encrypted with it.

REvil ransomware crew allegedly busted in Russia, says FSB

The Russian Federal Security Bureau has just published a report about the investigation and arrest of the infamous "REvil" ransomware crew.

S3 Ep65: Supply chain conniption, NetUSB hole, Honda flashback, FTC muscle [Podcast + Transcript]

Latest episode -listen to it or read it now!

Wormable Windows HTTP hole – what you need to know

One bug in the January 2022 Patch Tuesday list is getting lots of attention: "HTTP Protocol Stack Remote Code Execution Vulnerability".

Home routers with NetUSB support could have critical kernel hole

Got a router that supports USB access across the network? You might need a kernel update...

JavaScript developer destroys own projects in supply chain “lesson”

Two popular open source JavaScript packages recently got "hacked" in a symbolic gesture by the original project creator.

Honda cars in flashback to 2002 – “Can’t Get You Out Of My Head”

Where were YOU on the night of 17 May 2002? And what about the day after that?

Log4Shell-like security hole found in popular Java SQL database engine H2

"It's Log4Shell, Jim, but not as we know it." How to find and fix a JNDI-based vuln in the H2 Database Engine.

S3 Ep64: Log4Shell again, scammers keeping busy, and Apple Home bug [Podcast + Transcript]

We're back for 2022 - listen now!

FTC threatens “legal action” over unpatched Log4j and other vulns

Remember the Equifax breach? Remember the $700m penalty? In case you'd forgotten, here's the FTC to refresh your memory!

Apple Home software bug could lock you out of your iPhone

The finder of this bug insists it "poses a serious risk". We're not so sure, but we recommend you take steps to avoid it anyway.

Instagram copyright infringment scams – don’t get sucked in!

We deconstructed a copyright phish so you don't have to. Be warned: the crooks are getting better at these scams...

Log4Shell vulnerability Number Four: “Much ado about something”

It's a Log4j bug, and you ought to patch it. But we don't think it's a critical crisis like the last one.

SFW! The Top N Cyber­security Stories of 2021 (for small positive integer values of N)

Happy Holidays! Our Top N stories, all totally SFW!

The cool retro phone with a REAL DIAL… plus plenty of IoT problems

You know you want one, because this retro phone is NOT A TOY... except when it comes to cybersecurity.

Plundered bitcoins recovered by FBI – all 3,879-and-one-sixth of them!

Phew! An audacious crime... that didn't work out.

Apache’s other product: Critical bugs in ‘httpd’ web server, patch now!

The Apache web server just got an update - this one is nothing to do with Log4j!

Log4Shell: The Movie… a short, safe visual tour for work and home

Be happy that your sysadmins are taking one (three, actually!) for the team right now... here's why!

Serious Security: OpenSSL fixes “error conflation” bugs – how mixing up mistakes can lead to trouble

Have you ever seen the message "An error occurred"? Even worse, the message "This error cannot occur"? Facts matter!

S3 Ep63: Log4Shell (what else?) and Apple kernel bugs [Podcast+Transcript]

Latest episode - listen now! (Yes, there are plenty of critical things to go along with Log4Shell.)

Apple security updates are out – and not a Log4Shell mention in sight

Get 'em while they're hot!

Log4Shell explained – how it works, why you need to know, and how to fix it

Find out how to deal with the Log4Shell vulnerability right across your estate. Yes, you need to patch, but that helps everyone else along with you!

“Log4Shell” Java vulnerability – how to safeguard your servers

Just when you thought it was safe to relax for the weekend... a critical bug showed up in Apache's Log4j product

S3 Ep62: The S in IoT stands for security (and much more) [Podcast+Transcript]

Listen now or read as an article! (Full transcript inside.)

Firefox update brings a whole new sort of security sandbox

Firefox 95.0 is out, with the usual security fixes... plus some funky new ones.

Cryptocurrency startup fails to subtract before adding, loses $31m

Think of a number, any number. Take away 42. Add 42 back in. Then pretend you didn't take away 42. How much is left?

Mozilla patches critical “BigSig” cryptographic bug: Here’s how to track it down and fix it

Mozilla's cryptographic code had a critical bug. Problem is that numerous apps are affected and may need patching individually.

S3 Ep61: Call scammers, cloud insecurity, and facial recognition creepiness [Podcast+Transcript]

Latest episode - listen now!

IoT devices must “protect consumers from cyberharm”, says UK government

"Must be at least THIS tall to go on ride" seems to be the starting point. Too little, too late? Or better than nothing?

Clearview AI face-matching service set to be fined over $20m

Scraping data for a facial recognition service? "That's unlawful", concluded both the British and the Australians.

Cloud Security: Don’t wait until your next bill to find out about an attack!

Cloud security is the best sort of altruism: you need to do it to protect yourself, but you help to protect everyone else at the same time.

S3 Ep60: Exchange exploit, GoDaddy breach and cookies made public [Podcast]

Latest episode - listen now! Solid cybersecurity advice in plain English.

US government securities watchdog spoofed by investment scammers – don’t fall for it!

Those numbers that show up on your phone to tell you who's calling? Treat them as SUGGESTIONS, never as PROOF.

Check your patches – public exploit now out for critical Exchange bug

It was a zero-day bug until Patch Tuesday, now there's an anyone-can-use-it exploit. Don't be the one who hasn't patched.

GoDaddy admits to password breach: check your Managed WordPress site!

GoDaddy found crooks in its network, and kicked them out - but not before they'd been in there for six weeks.