“Snakes in airplane mode” – what if your phone says it’s offline but isn’t?

WYSIWYG is short for "what you see is what you get". Except when it isn't...

SEC demands four-day disclosure limit for cybersecurity breaches

When is a ransomware attack a reportable matter? And how long have you got to decide?

S3 Ep145: Bugs With Impressive Names!

Fascinating fun (with a serious and educational side) - listen now! Full transcript available inside.

Zenbleed: How the quest for CPU performance could put your passwords at risk

You need to turn on a special setting to stop (the code you wrote to stop [the code you wrote to improve performance] from reducing performance) from reducing security.

Apple ships that recent “Rapid Response” spyware patch to everyone, fixes a second zero-day

Another month, another patch for in-the-wild iPhone malware (and a whole lot more).

Microsoft hit by Storm season – a tale of two semi-zero days

The first compromise didn't get the crooks as far as they wanted, so they found a second one that did...

Microsoft patches four zero-days, finally takes action against crimeware kernel drivers

Here's a brief reminder to do two things. The first is to patch. The second is to read up why it's a good idea to patch...

Apple silently pulls its latest zero-day update – what now?

Previously, we said "do it today", but now we're forced back on: "Do not delay; do it as soon as Apple and your device will let you."

Ghostscript bug could allow rogue documents to run system commands

Even if you've never heard of the venerable Ghostscript project, you may have it installed without knowing.

S3 Ep141: What was Steve Jobs’s first job?

Latest episode - listen now! (Full transcript inside.)

Aussie PM says, “Shut down your phone every 24 hours for 5 mins” – but that’s not enough on its own

Don't treat rebooting your phone once a day as a cybersecurity talisman... here are 8 additional tips for better mobile phone security.

MOVEit mayhem 3: “Disable HTTP and HTTPS traffic immediately”

Twice more unto the breach... third patch tested and released, shut down web access until you've applied it

Chrome and Edge zero-day: “This exploit is in the wild”, so check your versions now

Chrome and Edge 0-days patched.

PyPI open-source code repository deals with manic malware maelstrom

Controlled outage used to keep malware marauders from gumming up the works. Learn what you can do to help in future...

Apple’s secret is out: 3 zero-days fixed, so be sure to patch now!

All Apple users have zero-days that need patching, though some have more zero-days than others.

Zut alors! Raclage crapuleux! Clearview AI in 20% more trouble in France

We asked you once, we told you twice, now we're ordering you for the third time...

Apple delivers first-ever Rapid Security Response “cyberattack” patch – leaves some users confused

Just when we'd got used to three-numbered versions, such as "13.3.1", here comes an update suffix, bringing you "13.3.1 (a)"...

Google leaking 2FA secrets – researchers advise against new “account sync” feature for now

You waited 13 years for this feature in Google Authenticator. Now researchers are advising you to wait a while longer, just in case...

Ex-CEO of breached pyschotherapy clinic gets prison sentence for bad data security

Did the sentence fit the crime? Read the backstory, and then have your say in our comments! (You may post anonymously.)

Attention gamers! Motherboard maker MSI admits to breach, issues “rogue firmware” alert

Stealing private keys is like getting hold of a medieval monarch's personal signet ring... you get to put an official seal on treasonous material.

Apple issues emergency patches for spyware-style 0-day exploits – update now!

A bug to hack your browser, then a bug to pwn the kernel... reported from the wild by Amnesty International.

Hack and enter! The “secure” garage doors that anyone can open from anywhere – what you need to know

Grab a message/Play it back/You've just performed/A big phat hack...

Supply chain blunder puts 3CX telephone app users at risk

Booby-trapped app, apparently signed and shipped by 3CX itself after its source code repository was broken into.

Apple patches everything, including a zero-day fix for iOS 15 users

Got an older iPhone that can't run iOS 16? You've got a zero-day to deal with! That super-cool Studio Display monitor needs patching, too.

In Memoriam – Gordon Moore, who put the more in “Moore’s Law”

His prediction was called a "Law", though it was an exhortation to engineering excellence as much it was an estimate.

S3 Ep124: When so-called security apps go rogue [Audio + Text]

Rogue software packages. Rogue "sysadmins". Rogue keyloggers. Rogue authenticators. Rogue ROGUES!

Beware rogue 2FA apps in App Store and Google Play – don’t get hacked!

Even in Apple's and Google's "walled gardens", there are plenty of 2FA apps that are either dangerously incompetent, or unrepentantly malicious. (Or perhaps both.)

Twitter tells users: Pay up if you want to keep using insecure 2FA

Ironically, Twitter Blue users will be allowed to keep using the very 2FA process that's not considered secure enough for everyone else.

Finnish psychotherapy extortion suspect arrested in France

Company transcribed ultra-personal conversations, didn't secure them. Criminal stole them, then extorted thousands of vulnerable patients.

S3 Ep120: When dud crypto simply won’t let go [Audio + Text]

Latest episode - listen now!

Serious Security: The Samba logon bug caused by outdated crypto

Enjoy our Serious Security deep dive into this real-world example of why cryptographic agility is important!

Dutch suspect locked up for alleged personal data megathefts

Undercover Austrian "controlled data buy" leads to Amsterdam arrest and ongoing investigation. Suspect is said to steal and sell all sorts of data, including medical records.

Serious Security: Unravelling the LifeLock “hacked passwords” story

Four straight-talking tips to improve your online security, whether you're a LifeLock customer or not.

Popular JWT cloud security library patches “remote” code execution hole

It's remotely triggerable, but attackers would already have pretty deep network access if they could "prime" your server for compromise.

PyTorch: Machine Learning toolkit pwned from Christmas to New Year

The bad news: the crooks have your SSH private keys. The good news: only users of the "nightly" build were affected.

US passes the Quantum Computing Cybersecurity Preparedness Act – and why not?

Cryptographic agility: the ability and the willingness to change quickly when needed.

Twitter data of “+400 million unique users” up for sale – what to do?

If the crooks have connected up your phone number and your Twitter handle... what could go wrong?

S3 Ep114: Preventing cyberthreats – stop them before they stop you! [Audio + Text]

Join world-renowned expert Fraser Howard, Director of Research at SophosLabs, for this fascinating episode on how to fight cybercrime.

“Suspicious login” scammers up their game – take care at Christmas

A picture is worth 1024 words - we clicked through so you don't have to.

OneCoin scammer Sebastian Greenwood pleads guilty, “Cryptoqueen” still missing

The Cryptoqueen herself is still missing, but her co-conspirator, who is said to have pocketed over $20m a month, has been convicted.

S3 Ep113: Pwning the Windows kernel – the crooks who hoodwinked Microsoft [Audio + Text]

Return o' the rookit, super-sneaky wireless spyware, credit card skimming, and patches galore. Listen and learn!

COVID-bit: the wireless spyware trick with an unfortunate name

It's not the switching that's the problem, it's the switching of the switching!

Credit card skimming – the long and winding road of supply chain failure

Don't keep calling home to a JavaScript server that closed its doors eight years ago!

Apple pushes out iOS security update that’s more tight-lipped than ever

We grabbed the update, based on no information at all, just in case we came across a reason to advise you not to. So far, so good...

Silk Road drugs market hacker pleads guilty, faces 20 years inside

Jurisprudence isn't like arithmetic... two negatives never make a positive!

Twitter Blue Badge email scams – Don’t fall for them!

That was the week that was...

S3 Ep107: Eight months to kick out the crooks and you think that’s GOOD? [Audio + Text]

Listen now - latest episode - audio plus full transcript

Psychotherapy extortion suspect: arrest warrant issued

Wanted! Not only the extortionist who abused the data, but also the CEO who let it happen.

Updates to Apple’s zero-day update story – iPhone and iPad users read this!

Turns out that Tuesday's zero-day for iOS 16 is Friday's zero-day for iOS 15...

Clearview AI image-scraping face recognition service hit with €20m fine in France

"We told you to stop but you ignored us," said the French regulator, "so now we're coming after you again."

Apple megaupdate: Ventura out, iOS and iPad kernel zero-day – act now!

Ventura hits the market with 112 patches, Catalina's gone missing, and iPhones and iPads get a critical kernel-level zero-day patch...

Serious Security: How randomly (or not) can you shuffle cards?

What if you could guess the next card correctly twice as often as you should?

Dangerous hole in Apache Commons Text – like Log4Shell all over again

Third time unlucky. Time to put your patching boots on again...

S3 Ep104: Should hospital ransomware attackers be locked up for life? [Audio + Text]

Have your say on three deep questions posed by this week's podcast. Read or listen as suits you best...

BEC fraudster and romance scammer sent to prison for 25 years

Two years of scamming + $10 million leeched = 25 years in prison. Just in time for #Cybermonth.

Morgan Stanley fined millions for selling off devices full of customer PII

Critical data on old disks always seems inaccessible if you really need it. But when you DON''T want it back, guess what happens...

LastPass source code breach – incident response report released

Wondering how you'd handle a data breach report if the worst happened to you? Here's a useful example.

How to deal with dates and times without any timezone tantrums…

Heartfelt encouragement to embrace RFC 3339 - find out why!

S3 Ep97: Did your iPhone get pwned? How would you know? [Audio + Text]

Latest episode - listen now! (Or read the transcript if you prefer the text version.)

Breaching airgap security: using your phone’s gyroscope as a microphone

One bit per second makes the Voyager probe data rate seem blindingly fast. But it's enough to break your security assumptions...