“Snakes in airplane mode” – what if your phone says it’s offline but isn’t?

WYSIWYG is short for "what you see is what you get". Except when it isn't...

S3 Ep146: Tell us about that breach! (If you want to.)

Serious security stories explained clearly in plain English - listen now. (Full transcript available.)

S3 Ep145: Bugs With Impressive Names!

Fascinating fun (with a serious and educational side) - listen now! Full transcript available inside.

S3 Ep136: Navigating a manic malware maelstrom

Latest episode - listen now. Full transcript inside...

PyPI open-source code repository deals with manic malware maelstrom

Controlled outage used to keep malware marauders from gumming up the works. Learn what you can do to help in future...

Zut alors! Raclage crapuleux! Clearview AI in 20% more trouble in France

We asked you once, we told you twice, now we're ordering you for the third time...

PHP Packagist supply chain poisoned by hacker “looking for a job”

I pwned you! Gizza job! You know it makes sense!

Tracked by hidden tags? Apple and Google unite to propose safety and security standards…

To bleat, or not to bleat, that is the question.

Attention gamers! Motherboard maker MSI admits to breach, issues “rogue firmware” alert

Stealing private keys is like getting hold of a medieval monarch's personal signet ring... you get to put an official seal on treasonous material.

S3 Ep129: When spyware arrives from someone you trust

Scanning tools, supply-chain malware, Wi-Fi hacking, and why there should be TWO World Backup Days... listen now!

Supply chain blunder puts 3CX telephone app users at risk

Booby-trapped app, apparently signed and shipped by 3CX itself after its source code repository was broken into.

NPM JavaScript packages abused to create scambait links in bulk

Free spins? Bonus game points? Cheap social media followers? What harm could it possibly do if you just take a tiny little look?!

PyTorch: Machine Learning toolkit pwned from Christmas to New Year

The bad news: the crooks have your SSH private keys. The good news: only users of the "nightly" build were affected.

S3 Ep113: Pwning the Windows kernel – the crooks who hoodwinked Microsoft [Audio + Text]

Return o' the rookit, super-sneaky wireless spyware, credit card skimming, and patches galore. Listen and learn!

COVID-bit: the wireless spyware trick with an unfortunate name

It's not the switching that's the problem, it's the switching of the switching!

TikTok “Invisible Challenge” porn malware puts us all at risk

An injury to one is an injury to all. Especially if the other people are part of your social network.

“Gucci Master” business email scammer Hushpuppi gets 11 years

Learn how to protect yourself from big-money tricksters like the Hushpuppis of the world...

S3 Ep106: Facial recognition without consent – should it be banned?

Latest episode - listen (or read) now. Teachable moments for X-Ops professionals!

Clearview AI image-scraping face recognition service hit with €20m fine in France

"We told you to stop but you ignored us," said the French regulator, "so now we're coming after you again."

S3 Ep98: The LastPass saga – should we stop using password managers? [Audio + Text]

Latest episode - listen now!

Breaching airgap security: using your phone’s gyroscope as a microphone

One bit per second makes the Voyager probe data rate seem blindingly fast. But it's enough to break your security assumptions...

Apple patches double zero-day in browser and kernel – update now!

Double 0-day exploits - one in WebKit (to break in) and the other in the kernel (to take over). Patch now!

GitHub blighted by “researcher” who created thousands of malicious projects

If you spew projects laced with hidden malware into an open source repository, don't waste your time telling us "no harm done" afterwards.

Murder suspect admits she tracked cheating partner with hidden AirTag

O! What a tangled web we weave, when first we practise to deceive.

Poisoned Python and PHP packages purloin passwords for AWS access

More supply chain trouble - this time with clear examples so you can learn how to spot this stuff yourself.

Clearview AI face-matching service fined a lot less than expected

The fine has finally gone through... but it's less than 45% of what was originally proposed.

RubyGems supply chain rip-and-replace bug fixed – check your logs!

Imagine if you could assume the identity of, say, Franklin Delano Roosevelt simply by showing up and calling yourself "Frank".

GitHub issues final report on supply-chain source code intrusions

Learn how to find out which apps you've given access rights to, and how to revoke those rights immediately in an emergency.

Beanstalk cryptocurrency heist: scammer votes himself all the money

Voting safeguards based on commuity collateral don't work if one person can use a momentary loan to "become" 75% of the community.

S3 Ep72: AirTag stalking, web server coding woes and Instascams [Podcast + Transcript]

Latest episode - listen now (or read it, if that's your preference)...

Apple AirTag anti-stalking protection bypassed by researchers

Problems with Apple's Tracker Detect system, which warns you of likely stalking attempts using hidden AirTags.

Wormhole cryptotrading company turns over $340,000,000 to criminals

It was the best of blockchains, it was the worst of blockchains... as Charles Dickens might have said.

S3 Ep65: Supply chain conniption, NetUSB hole, Honda flashback, FTC muscle [Podcast + Transcript]

Latest episode -listen to it or read it now!

JavaScript developer destroys own projects in supply chain “lesson”

Two popular open source JavaScript packages recently got "hacked" in a symbolic gesture by the original project creator.

S3 Ep63: Log4Shell (what else?) and Apple kernel bugs [Podcast+Transcript]

Latest episode - listen now! (Yes, there are plenty of critical things to go along with Log4Shell.)

S3 Ep61: Call scammers, cloud insecurity, and facial recognition creepiness [Podcast+Transcript]

Latest episode - listen now!

Clearview AI face-matching service set to be fined over $20m

Scraping data for a facial recognition service? "That's unlawful", concluded both the British and the Australians.

Samba update patches plaintext password plundering problem

When Microsoft itself says STOP USING X, where X is one of its own protocols... we think you should listen.

Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!

The crooks have shown that they're willing to learn and adapt their attacks, so we need to make sure we learn and adapt, too.

Listen up 2 – CYBERSECURITY FIRST! How to protect yourself from supply chain attacks

Everyone remembers this year's big-news supply chain attacks on Kaseya and SolarWinds. Sophos expert Chester Wisniewski explains how to control the risk.