Bitcoin ATMs leeched by attackers who created fake admin accounts

The criminals didn't implant any malware. The attack was orchestrated via malevolent configuration changes.

Laptop denial-of-service via music: the 1980s R&B song with a CVE!

We haven't validated this vuln ourselves... but the source of the story is impeccable. (Impeccably dressed, at least.)

S3 Ep96: Zoom 0-day, AEPIC leak, Conti reward, healthcare security [Audio + Text]

Latest episode - listen now (or read if you prefer!)

Apple patches double zero-day in browser and kernel – update now!

Double 0-day exploits - one in WebKit (to break in) and the other in the kernel (to take over). Patch now!

Chrome browser gets 11 security fixes with 1 zero-day – update now!

Don't delay - patch today.

Zoom for Mac patches critical bug – update now!

There's many a slip 'twixt the cup and the lip. Or at least between the TOC and the TOU...

S3 Ep95: Slack leak, Github onslaught, and post-quantum crypto [Audio + Text]

Latest episode - listen now! (Or read the transcript if you prefer.)

APIC/EPIC! Intel chips leak secrets even the kernel shouldn’t see…

If you've ever written code that left stuff lying around in memory when you didn't need it any more... we bet you've regretted it!

Traffic Light Protocol for cybersecurity responders gets a revamp

Traffic lights make a handy global metaphor for denoting the sensitivity of cybersecurity threat data - three colours that everyone knows.

S3 Ep94: This sort of crypto (graphy), and the other sort of crypto (currency!) [Audio + Text]

Latest episode - listen now! (Or read if that's what you prefer.)

GitHub blighted by “researcher” who created thousands of malicious projects

If you spew projects laced with hidden malware into an open source repository, don't waste your time telling us "no harm done" afterwards.

Cryptocoin “token swapper” Nomad loses $200 million in coding blunder

Transactions were only approved, it seems, if they were initiated by... errrrr, by anyone.

GnuTLS patches memory mismanagement bug – update now!

GnuTLS may well be the most widespread cryptographic toolkit you've never heard of. Learn more...

How to celebrate SysAdmin Day!

I've just popped in to wish you all/The best SysAdmin Day!

S3 Ep93: Office security, breach costs, and leisurely patches [Audio + Text]

Latest episode - listen now!

Critical Samba bug could let anyone become Domain Admin – patch now!

It's a serious bug... but there's a fix for it, so you know exactly what to do!

Mild monthly security update from Firefox – but update anyway

You're probably thinking we're going to say, "Don't delay/Do it today"... and that's exactly what we are saying!

S3 Ep92: Log4Shell4Ever, travel tips, and scamminess [Audio + Text]

Latest episode - listen, read or both!

Apple patches “0-day” browser bug fixed 2 weeks ago in Chrome, Edge

One vendor's zero-day is another vendor's routine patch...

8 months on, US says Log4Shell will be around for “a decade or longer”

When it comes to cybersecurity, ask not what everyone else can do for you...

S3 Ep91: CodeRed, OpenSSL, Java bugs, Office macros [Audio + Text]

Latest episode - listen now! Great discussion, technical content, solid advice... all covered in plain English.

Apache “Commons Configuration” patches Log4Shell-style bug – what you need to know

It's a bit like Log4J, but for configuration files, not for logging.

S3 Ep90: Chrome 0-day again, True Cybercrime, and a 2FA bypass [Podcast + Transcript]

Listen now! Or read if you prefer...

OpenSSL fixes two “one-liner” crypto bugs – what you need to know

"As bad as Heartbleed"? We heard that concern a week ago, but we think it's less ungood than that...

Google patches “in-the-wild” Chrome zero-day – update now!

Running Chrome? Do the "Help-About-Update" dance move right now, just to be sure...

Canadian cybercriminal pleads guilty to “NetWalker” attacks in US

Bust in Canada, now bust in the USA as well.

S3 Ep89: Sextortion, blockchain blunder, and an OpenSSL bugfix [Podcast + Transcript]

Latest episode - listen and read now! Use our advice to advise your own friends and family... let's all do our bit to stand up to scammers!

Firefox 102 fixes address bar spoofing security hole (and helps with Follina!)

Firefox squashes a bug that helped phishers, and brings its own helping hand to Microsoft's "Follina" saga.

OpenSSL issues a bugfix for the previous bugfix

Fortunately, it's not a major bugfix, which means it's easy to patch and can teach us all some useful lessons.

S3 Ep88: Phone scammers, hacking bust, and data breach fines [Podcast + Transcript]

Latest epsiode - listen (or read) now!

Capital One identity theft hacker finally gets convicted

It took three years, but the Capital One cracker was convicted in the end. Don't get caught out in a data breach of your own!

S3 Ep87: Follina, AirTags, ID theft and the Law of Big Numbers [Podcast]

Lastest epsiode - listen now!

Follina gets fixed – but it’s not listed in the Patch Tuesday patches!

We tried it out to make sure, so you don't have to.

You’re invited! Join us for a live walkthrough of the “Follina” story…

Live demo, plain English, no sales pitch, just a chance to watch an attack dissected in safety. Join us if you can!

S3 Ep86: The crooks were in our network for HOW long?! [Podcast + Transcript]

Latest episode - listen (or read) now!

SSNDOB Market domains seized, identity theft “brokerage” shut down

The online identity "brokerage" SSNDOB Market didn't want people to be in any doubt what it was selling.

Know your enemy! Learn how cybercrime adversaries get in…

Here's how 144 recent attacks actually went down in real life. Don't let this happen to you!

Atlassian announces 0-day hole in Confluence Server – update now!

Zero-day announced - here's what you need to know

Yet another zero-day (sort of) in Windows “search URL” handling

More trouble with special-purpose URLs on Windows.

S3 Ep85: Now THAT’S what I call a Microsoft Office exploit! [Podcast]

Latest episode - listen now!

Firefox 101 is out, this time with no 0-day scares (but update anyway!)

After an intriguing month of Firefox releases, here's one with a bit less drama, probably to the collective relief of Mozilla's coders.

Mysterious “Follina” zero-day hole in Office – here’s what to do!

News has emerged of a "feature" in Office that has been abused as a zero-day bug to run evil code. Turning off macros doesn't help!

S3 Ep84: Government demand, Mozilla velocity, and Clearview fine [Podcast]

Latest episode - listen now!

Poisoned Python and PHP packages purloin passwords for AWS access

More supply chain trouble - this time with clear examples so you can learn how to spot this stuff yourself.

Mozilla patches Wednesday’s Pwn2Own double-exploit… on Friday!

That was quick! 48 hours from exploit report to published patch.

Microsoft patches the Patch Tuesday patch that broke authentication

Remember the good old days when security patches rarely needed patches? Because security patches themlelves were rare enough anyway?

US Government says: Patch VMware right now, or get off our network

Find and patch. Right now. If you can't patch, get it off the network. Right now! Oh, and show us what you did to comply.

S3 Ep83: Cracking passwords, patching Firefox, and Apple vulns [Podcast]

Latest episode - listen now!

Pwn2Own hacking schedule released – Windows and Linux are top targets

What's better? Disclose early, patch fast? Or dig deep, disclose in full, patch more slowly?

Apple patches zero-day kernel hole and much more – update now!

You'll find fixes for numerous kernel-level code execution holes, including an 0-day vulnerability in many (though not all) versions.

S3 Ep82: Bugs, bugs, bugs (and Colonial Pipeline again) [Podcast]

Latest episode - lots to learn - plain English - fun with a serious side - listen now!

Serious Security: Learning from curl’s latest bug update

Learn how to write plain-speaking and purposeful security advisories from one of the most widely-used open source tools in the world.

RubyGems supply chain rip-and-replace bug fixed – check your logs!

Imagine if you could assume the identity of, say, Franklin Delano Roosevelt simply by showing up and calling yourself "Frank".

You didn’t leave enough space between ROSE and AND, and AND and CROWN

What weird Google Docs bug connects the words THEREFORE, AND, SECONDLY, WHY, BUT and BESIDES?

S3 Ep81: Passwords (still with us!), Github, Firefox at 100, and network worms [Podcast]

Latest episode - listen now!

World Password Day – the 1960s just called and gave you your passwords back

Yes, passwords are going away. No, it won't happen tomorrow. So it's still worth knowing the basics of picking proper passwords.

Android monthly updates are out – critical bugs found in critical places!

Android May 2022 updates are out - with some critical fixes in some critical places. Learn more...

Firefox hits 100*, fixes bugs… but no new zero-days this month

Despite concerns that some websites might break when Chromium and then Firefox reached version 100, the web still seems to be intact.

GitHub issues final report on supply-chain source code intrusions

Learn how to find out which apps you've given access rights to, and how to revoke those rights immediately in an emergency.

S3 Ep80: Ransomware news, phishing woes, NAS bugs, and a giant hole in Java [Podcast]

Latest episode - listen now!