S3 Ep141: What was Steve Jobs’s first job?

By Paul Ducklin — June 29^th 2023 at 16:58

Latest episode - listen now! (Full transcript inside.)

Naked Security

S3 Ep140: So you think you know ransomware?

By Paul Ducklin — June 22^nd 2023 at 16:48

Lots to learn this week - listen now! (Full transcript inside.)

Naked Security

Apple patch fixes zero-day kernel hole reported by Kaspersky – update now!

By Paul Ducklin — June 22^nd 2023 at 00:36

Apple didn't use the words "Triangulation Trojan", but you probably will.

Naked Security

ASUS warns router customers: Patch now, or block all inbound requests

By Paul Ducklin — June 20^th 2023 at 18:14

"Do as we say, not as we do!" - The patches took ages to come out, but don't let that lure you into taking ages to install them.

Naked Security

MOVEit mayhem 3: “Disable HTTP and HTTPS traffic immediately”

By Paul Ducklin — June 15^th 2023 at 22:10

Twice more unto the breach... third patch tested and released, shut down web access until you've applied it

mi-1200

Naked Security

Patch Tuesday fixes 4 critical RCE bugs, and a bunch of Office holes

By Paul Ducklin — June 13^th 2023 at 23:32

No zero-days this month, if you ignore the Edge RCE hole patched last week

Naked Security

More MOVEit mitigations: new patches published for further protection

By Paul Ducklin — June 9^th 2023 at 21:54

Good news... more patches, this time available proactively

Naked Security

S3 Ep138: I like to MOVEit, MOVEit

By Paul Ducklin — June 8^th 2023 at 16:56

Backdoors, exploits, and Little Bobby Tables. Listen now! (Full transcript available...)

s3-ep138-1200

Naked Security

Firefox 114 is out: No 0-days, but one fascinating “teachable moment” bug

By Paul Ducklin — June 7^th 2023 at 19:59

With the right (or wrong, if you're on the right side of the fence) timing...

Naked Security

Chrome and Edge zero-day: “This exploit is in the wild”, so check your versions now

By Paul Ducklin — June 6^th 2023 at 18:28

Chrome and Edge 0-days patched.

Naked Security

MOVEit zero-day exploit used by data breach gangs: The how, the why, and what to do…

By Paul Ducklin — June 5^th 2023 at 19:59

Little Bobby Tables is back!

mi-1200

Naked Security

Researchers claim Windows “backdoor” affects hundreds of Gigabyte motherboards

By Paul Ducklin — June 2^nd 2023 at 18:56

It's a backdoor, Jim, but not as we know it... here's a sober look at this issue.

Naked Security

S3 Ep137: 16th century crypto skullduggery

By Paul Ducklin — June 1^st 2023 at 16:45

Lots to learn, clearly explained in plain English... listen now! (Full transcript inside.)

s3-ep137-feat-1200

Naked Security

Serious Security: Verification is vital – examining an OAUTH login bug

By Paul Ducklin — May 30^th 2023 at 16:59

What good is a popup asking for your approval if an attacker can bypass it simply by suppressing it?

Naked Security

Apple’s secret is out: 3 zero-days fixed, so be sure to patch now!

By Paul Ducklin — May 19^th 2023 at 01:02

All Apple users have zero-days that need patching, though some have more zero-days than others.

Naked Security

PHP Packagist supply chain poisoned by hacker “looking for a job”

By Paul Ducklin — May 5^th 2023 at 16:59

I pwned you! Gizza job! You know it makes sense!

Naked Security

S3 Ep132: Proof-of-concept lets anyone hack at will

By Paul Ducklin — April 27^th 2023 at 16:55

When Doug says, "Happy Remote Code Execution Day, Duck"... it's irony. For the avoidance of all doubt :-)

Naked Security

PaperCut security vulnerabilities under active attack – vendor urges customers to patch

By Paul Ducklin — April 25^th 2023 at 17:53

If you have the product, but you haven't patched - well, the crooks have now landed, so please don't delay. Do it today...

Naked Security

Double zero-day in Chrome and Edge – check your versions now!

By Paul Ducklin — April 24^th 2023 at 19:59

Wouldn't it be handy if there were a single version number to check for in every Chromium-based browser, on every supported platform?

Naked Security

VMware patches break-and-enter hole in logging tools: update now!

By Paul Ducklin — April 21^st 2023 at 17:58

You know jolly well/What we're going to say/And that's "Do not delay/Simply do it today."

Naked Security

S3 Ep130: Open the garage bay doors, HAL [Audio + Text]

By Paul Ducklin — April 13^th 2023 at 16:54

I'm sorry, Dave. I'm afraid I can't... errr, no, hang on a minute, I can do that easily! Worldwide! Right now!

Naked Security

Patch Tuesday: Microsoft fixes a zero-day, and two curious bugs that take the Secure out of Secure Boot

By Paul Ducklin — April 12^th 2023 at 18:57

Is Secure Boot without the Secure just "Boot"?

Naked Security

Apple zero-day spyware patches extended to cover older Macs, iPhones and iPads

By Paul Ducklin — April 10^th 2023 at 20:20

That double-whammy Apple browser-to-kernel spyware bug combo we wrote up last week? Turns out it applies to all supported Macs and iDevices - patch now!

Naked Security

Popular server-side JavaScript security sandbox “vm2” patches remote execution hole

By Paul Ducklin — April 9^th 2023 at 00:28

The security error was in the error handling system that was supposed to catch potential security errors...

vm2-1200

Naked Security

Apple issues emergency patches for spyware-style 0-day exploits – update now!

By Paul Ducklin — April 8^th 2023 at 01:20

A bug to hack your browser, then a bug to pwn the kernel... reported from the wild by Amnesty International.

Naked Security

Hack and enter! The “secure” garage doors that anyone can open from anywhere – what you need to know

By Paul Ducklin — April 5^th 2023 at 18:49

Grab a message/Play it back/You've just performed/A big phat hack...

Naked Security

S3 Ep128: So you want to be a cybercriminal? [Audio + Text]

By Paul Ducklin — March 30^th 2023 at 19:43

Latest episode - listen now!

Naked Security

Apple patches everything, including a zero-day fix for iOS 15 users

By Paul Ducklin — March 28^th 2023 at 00:23

Got an older iPhone that can't run iOS 16? You've got a zero-day to deal with! That super-cool Studio Display monitor needs patching, too.

Naked Security

WooCommerce Payments plugin for WordPress has an admin-level hole – patch now!

By Paul Ducklin — March 24^th 2023 at 19:48

Admin-level holes in websites are always a bad thing... and for "bad", read "worse" if it's an e-commerce site.

woo-1200

Naked Security

S3 Ep127: When you chop someone out of a photo, but there they are anyway…

By Paul Ducklin — March 23^rd 2023 at 17:59

Listen now - latest episode. Full transcript inside.

Naked Security

Dangerous Android phone 0-day bugs revealed – patch or work around them now!

By Paul Ducklin — March 17^th 2023 at 19:56

Despite its usually inflexible 0-day disclosure policy, Google is keeping four mobile modem bugs semi-secret due to likely ease of exploitation.

Naked Security

S3 Ep 126: The price of fast fashion (and feature creep) [Audio + Text]

By Paul Ducklin — March 16^th 2023 at 17:56

Worried about rogue apps? Unsure about the new Outlook zero-day? Clear advice in plain English... just like old times, with Duck and Chet!

Naked Security

Microsoft fixes two 0-days on Patch Tuesday – update now!

By Paul Ducklin — March 15^th 2023 at 00:06

An email you haven't even looked at yet could be used to trick Outlook into helping crooks to logon as you.

Naked Security

Firefox 111 patches 11 holes, but not 1 zero-day among them…

By Paul Ducklin — March 14^th 2023 at 19:16

In the game of cricket, 111 is an inauspicious number, but for Firefox, there doesn't seem to be much to worry about this month.

Naked Security

S3 Ep125: When security hardware has security holes [Audio + Text]

By Paul Ducklin — March 9^th 2023 at 18:58

Lastest episode - listen now! (Full transcript inside.)

Naked Security

Serious Security: TPM 2.0 vulns – is your super-secure data at risk?

By Paul Ducklin — March 7^th 2023 at 19:59

Security bugs in the very code you've been told you must have to improve the security of your computer...

Naked Security

S3 Ep122: Stop calling every breach “sophisticated”! [Audio + Text]

By Paul Ducklin — February 16^th 2023 at 17:46

Latest episode - listen now! (Full transcript inside.)

Naked Security

Apple fixes zero-day spyware implant bug – patch now!

By Paul Ducklin — February 14^th 2023 at 19:08

Everyone update now! Except for those who don't need to! Or who need to but will only get updates later on, though Apple isn't saying yet!

Naked Security

S3 Ep121: Can you get hacked and then prosecuted for it? [Audio + Text]

By Paul Ducklin — February 9^th 2023 at 19:41

Latest epsiode. Listen now!

Naked Security

OpenSSL fixes High Severity data-stealing bug – patch now!

By Paul Ducklin — February 8^th 2023 at 02:58

7 memory mismanagements and a timing attack. We explain all the jargon bug terminology in plain English...

Naked Security

VMWare user? Worried about “ESXi ransomware”? Check your patches now!

By Paul Ducklin — February 7^th 2023 at 19:59

To borrow from HHGttG, please DON'T PANIC. But if you are two years out of date with patches, please do ACT NOW!

Naked Security

OpenSSH fixes double-free memory bug that’s pokable over the network

By Paul Ducklin — February 3^rd 2023 at 17:59

It's a bug fix for a bug fix. A memory leak was turned into a double-free that has now been turned into correct code...

Naked Security

S3 Ep120: When dud crypto simply won’t let go [Audio + Text]

By Paul Ducklin — February 2^nd 2023 at 17:50

Latest episode - listen now!

Naked Security

Password-stealing “vulnerability” reported in KeePass – bug or feature?

By Paul Ducklin — February 1^st 2023 at 19:58

Is it a vulnerability if someone with control over your account can mess with files that your account is allowed to access anyway?

Naked Security

GitHub code-signing certificates stolen (but will be revoked this week)

By Paul Ducklin — January 31^st 2023 at 11:35

There was a breach, so the bad news isn't great, but the good news isn't too bad...

Naked Security

Serious Security: The Samba logon bug caused by outdated crypto

By Paul Ducklin — January 30^th 2023 at 19:59

Enjoy our Serious Security deep dive into this real-world example of why cryptographic agility is important!

Naked Security

S3 Ep119: Breaches, patches, leaks and tweaks! [Audio + Text]

By Paul Ducklin — January 26^th 2023 at 19:57

Lastest episode - listen now! (Or read the transcript.)

Naked Security

Apple patches are out – old iPhones get an old zero-day fix at last!

By Paul Ducklin — January 24^th 2023 at 01:24

Don't delay, especially if you're still running an iOS 12 device... please do it today!

Naked Security

Serious Security: How dEliBeRaTe tYpOs might imProVe DNS security

By Paul Ducklin — January 23^rd 2023 at 19:59

It's a really cool and super-simple trick. The question is, "Will it help?"

Naked Security

S3 Ep117: The crypto crisis that wasn’t (and farewell forever to Win 7) [Audio + Text]

By Paul Ducklin — January 12^th 2023 at 17:59

Tell us in the comments... What's the REAL reason there was no Windows 9? (No theory too far-fetched!)

Naked Security

Microsoft Patch Tuesday: One 0-day; Win 7 and 8.1 get last-ever patches

By Paul Ducklin — January 11^th 2023 at 00:22

Get 'em while they're hot. And get 'em for the very last time, if you still have Windows 7 or 8.1...

Naked Security

Popular JWT cloud security library patches “remote” code execution hole

By Paul Ducklin — January 10^th 2023 at 19:59

It's remotely triggerable, but attackers would already have pretty deep network access if they could "prime" your server for compromise.

Naked Security

CircleCI – code-building service suffers total credential compromise

By Paul Ducklin — January 9^th 2023 at 14:52

They're saying "rotate secrets"... in plain English, they mean "change your credentials". The company has a tool to help you find them all.

Naked Security

Serious Security: How to improve cryptography, resist supply chain attacks, and handle data breaches

By Paul Ducklin — January 4^th 2023 at 19:50

Lessons for us all: improve cryptography, fight cybercrime, own your supply chain... and don't steal my data and then pretend you're sorry.

Naked Security

Naked Security 33 1/3 – Cybersecurity predictions for 2023 and beyond

By Paul Ducklin — December 30^th 2022 at 19:59

The problem with anniversaries is that there's an almost infinite number of them every day...

hny-1200

Naked Security

Microsoft dishes the dirt on Apple’s “Achilles heel” shortly after fixing similar Windows bug

By Paul Ducklin — December 20^th 2022 at 17:59

It happens to the best of us: Microsoft highlights a security bypass bug on Macs that is curiously similar to a recent Windows 0-day.

Naked Security

S3 Ep113: Pwning the Windows kernel – the crooks who hoodwinked Microsoft [Audio + Text]

By Paul Ducklin — December 15^th 2022 at 17:10

Return o' the rookit, super-sneaky wireless spyware, credit card skimming, and patches galore. Listen and learn!

Naked Security

Apple patches everything, finally reveals mystery of iOS 16.1.2

By Paul Ducklin — December 14^th 2022 at 02:11

There's an update for everything this time, not just for iOS.

Naked Security

Patch Tuesday: 0-days, RCE bugs, and a curious tale of signed malware

By Paul Ducklin — December 14^th 2022 at 01:13

Tales of derring-do in the cyberunderground! (And some zero-days.)

Naked Security

Pwn2Own Toronto: 54 hacks, 63 new bugs, $1 million in bounties

By Paul Ducklin — December 12^th 2022 at 19:58

That's a mean average of $15,710 per bug... and 63 fewer bugs out there for crooks and rogues to find.