That didn’t last! Microsoft turns off the Office security it just turned on

An Office anti-malware setting that took more than 20 years to arrive... and fewer than 20 weeks to vanish again.

Apache “Commons Configuration” patches Log4Shell-style bug – what you need to know

It's a bit like Log4J, but for configuration files, not for logging.

S3 Ep90: Chrome 0-day again, True Cybercrime, and a 2FA bypass [Podcast + Transcript]

Listen now! Or read if you prefer...

OpenSSL fixes two “one-liner” crypto bugs – what you need to know

"As bad as Heartbleed"? We heard that concern a week ago, but we think it's less ungood than that...

Google patches “in-the-wild” Chrome zero-day – update now!

Running Chrome? Do the "Help-About-Update" dance move right now, just to be sure...

Canadian cybercriminal pleads guilty to “NetWalker” attacks in US

Bust in Canada, now bust in the USA as well.

Facebook 2FA phish arrives just 28 minutes after scam domain created

The crooks hit us up with this phishing email less than half an hour after they activated their new scam domain.

“Missing Cryptoqueen” hits the FBI’s Ten Most Wanted list

The "Missing Cryptoqueen" makes the American Top Ten... but not in a good way.

S3 Ep89: Sextortion, blockchain blunder, and an OpenSSL bugfix [Podcast + Transcript]

Latest episode - listen and read now! Use our advice to advise your own friends and family... let's all do our bit to stand up to scammers!

Firefox 102 fixes address bar spoofing security hole (and helps with Follina!)

Firefox squashes a bug that helped phishers, and brings its own helping hand to Microsoft's "Follina" saga.

Harmony blockchain loses nearly $100M due to hacked private keys

The crooks needed at least two private keys, each stored in two parts... but they got them anyway.

FTC warns of LGBTQ+ extortion scams – be aware before you share!

It's a simple jingle and it's solid advice: "If in doubt, don't give it out!"

OpenSSL issues a bugfix for the previous bugfix

Fortunately, it's not a major bugfix, which means it's easy to patch and can teach us all some useful lessons.

S3 Ep88: Phone scammers, hacking bust, and data breach fines [Podcast + Transcript]

Latest epsiode - listen (or read) now!

Capital One identity theft hacker finally gets convicted

It took three years, but the Capital One cracker was convicted in the end. Don't get caught out in a data breach of your own!

Interpol busts 2000 suspects in phone scamming takedown

Friends don't let friends get scammed. Not everyone knows how typical scams unfold, so here are some real-world examples...

S3 Ep87: Follina, AirTags, ID theft and the Law of Big Numbers [Podcast]

Lastest epsiode - listen now!

Follina gets fixed – but it’s not listed in the Patch Tuesday patches!

We tried it out to make sure, so you don't have to.

Murder suspect admits she tracked cheating partner with hidden AirTag

O! What a tangled web we weave, when first we practise to deceive.

You’re invited! Join us for a live walkthrough of the “Follina” story…

Live demo, plain English, no sales pitch, just a chance to watch an attack dissected in safety. Join us if you can!

S3 Ep86: The crooks were in our network for HOW long?! [Podcast + Transcript]

Latest episode - listen (or read) now!

SSNDOB Market domains seized, identity theft “brokerage” shut down

The online identity "brokerage" SSNDOB Market didn't want people to be in any doubt what it was selling.

Know your enemy! Learn how cybercrime adversaries get in…

Here's how 144 recent attacks actually went down in real life. Don't let this happen to you!

Atlassian announces 0-day hole in Confluence Server – update now!

Zero-day announced - here's what you need to know

Yet another zero-day (sort of) in Windows “search URL” handling

More trouble with special-purpose URLs on Windows.

S3 Ep85: Now THAT’S what I call a Microsoft Office exploit! [Podcast]

Latest episode - listen now!

Firefox 101 is out, this time with no 0-day scares (but update anyway!)

After an intriguing month of Firefox releases, here's one with a bit less drama, probably to the collective relief of Mozilla's coders.

Mysterious “Follina” zero-day hole in Office – here’s what to do!

News has emerged of a "feature" in Office that has been abused as a zero-day bug to run evil code. Turning off macros doesn't help!

Beware the Smish! Home delivery scams with a professional feel…

Home delivery scams are getting leaner, and meaner, and more likely to "look about right". Here's an example to show you what we mean...

S3 Ep84: Government demand, Mozilla velocity, and Clearview fine [Podcast]

Latest episode - listen now!

Who’s watching your webcam? The Screencastify Chrome extension story…

When you really need to make exceptions in cybersecurity, specify them as explicitly as you can.

Poisoned Python and PHP packages purloin passwords for AWS access

More supply chain trouble - this time with clear examples so you can learn how to spot this stuff yourself.

Clearview AI face-matching service fined a lot less than expected

The fine has finally gone through... but it's less than 45% of what was originally proposed.

Mozilla patches Wednesday’s Pwn2Own double-exploit… on Friday!

That was quick! 48 hours from exploit report to published patch.

Microsoft patches the Patch Tuesday patch that broke authentication

Remember the good old days when security patches rarely needed patches? Because security patches themlelves were rare enough anyway?

US Government says: Patch VMware right now, or get off our network

Find and patch. Right now. If you can't patch, get it off the network. Right now! Oh, and show us what you did to comply.

S3 Ep83: Cracking passwords, patching Firefox, and Apple vulns [Podcast]

Latest episode - listen now!

Pwn2Own hacking schedule released – Windows and Linux are top targets

What's better? Disclose early, patch fast? Or dig deep, disclose in full, patch more slowly?

Apple patches zero-day kernel hole and much more – update now!

You'll find fixes for numerous kernel-level code execution holes, including an 0-day vulnerability in many (though not all) versions.

Firefox out-of-band update to 100.0.1 – just in time for Pwn2Own?

A new point-release of Firefox. Not unusual, but the timing of this one is interesting, with Pwn2Own coming up in a few days.

He sold cracked passwords for a living – now he’s serving 4 years in prison

Crooks don't need a password for every user on your network to break in and wreak havoc. One could be enough...

S3 Ep82: Bugs, bugs, bugs (and Colonial Pipeline again) [Podcast]

Latest episode - lots to learn - plain English - fun with a serious side - listen now!

Serious Security: Learning from curl’s latest bug update

Learn how to write plain-speaking and purposeful security advisories from one of the most widely-used open source tools in the world.

Colonial Pipeline facing $1,000,000 fine for poor recovery plans

How good is your cybersecurity? Are you making the same mistakes as lots of other people? Here's some real-life advice...

RubyGems supply chain rip-and-replace bug fixed – check your logs!

Imagine if you could assume the identity of, say, Franklin Delano Roosevelt simply by showing up and calling yourself "Frank".

You didn’t leave enough space between ROSE and AND, and AND and CROWN

What weird Google Docs bug connects the words THEREFORE, AND, SECONDLY, WHY, BUT and BESIDES?

S3 Ep81: Passwords (still with us!), Github, Firefox at 100, and network worms [Podcast]

Latest episode - listen now!

World Password Day – the 1960s just called and gave you your passwords back

Yes, passwords are going away. No, it won't happen tomorrow. So it's still worth knowing the basics of picking proper passwords.

Android monthly updates are out – critical bugs found in critical places!

Android May 2022 updates are out - with some critical fixes in some critical places. Learn more...

Firefox hits 100*, fixes bugs… but no new zero-days this month

Despite concerns that some websites might break when Chromium and then Firefox reached version 100, the web still seems to be intact.

GitHub issues final report on supply-chain source code intrusions

Learn how to find out which apps you've given access rights to, and how to revoke those rights immediately in an emergency.

S3 Ep80: Ransomware news, phishing woes, NAS bugs, and a giant hole in Java [Podcast]

Latest episode - listen now!

Ransomware Survey 2022 – like the Curate’s Egg, “good in parts”

You might not like the headline statistics in this year's ransomware report... but that makes it even more important to take a look!

Phishing goes KISS: Don’t let plain and simple messages catch you out!

Sometimes we receive phishing tricks that we grudgingly have to admit are better than average, just because they're uncomplicated.

QNAP warns of new bugs in its Network Attached Storage devices

Here's what you need to know - plus some sensible advice for all the devices on your home or small biz network!

S3 Ep79: Chrome hole, a bad place for a cybersecurity holiday, and crypto-dodginess [Podcast]

Do you know your Adam Osborne from your John Osbourne? Your Z80 from your 6502? Latest episode - listen now!

Critical cryptographic Java security blunder patched – update now!

Either know the private key and use it scrupulously in your digital signature calculation.... or just send a bunch of zeros instead.

Beanstalk cryptocurrency heist: scammer votes himself all the money

Voting safeguards based on commuity collateral don't work if one person can use a momentary loan to "become" 75% of the community.

Yet another Chrome zero-day emergency update – patch now!

The third emergency Chrome 0-day in three months - the first one was exploited by North Korea, so you might as well get this one ASAP.

S3 Ep78: Darkweb hydra, Ruby, quantum computing, and a robot revolution [Podcast]

Latest episode - listen now!