Sophos Podcasts

S3 Ep38: Clop busts, destructive Linux hacking, and rooted bicycles Ukrainian cops bring out the BFG (Big Fearsome Grinder) and cut open some doors. A repeated request for destructive Linux code enters its 15th year. Peloton exercise bicycles found to be rootable. https://nakedsecurity.sophos.com/clop-ransomware-suspects-busted-in-ukraine https://nakedsecurity.sophos.com/can-you-blow-a-pc-speaker https://nakedsecurity.sophos.com/how-to-hack-a-bicycle-peloton-bike-rooting With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge (https://www.edithmudge.com) Got questions/suggestions/stories to share? Email: tips@sophos.com Twitter: NakedSecurity (https://twitter.com/nakedsecurity) Instagram: NakedSecurity (https://instagram.com/nakedsecurity)

S3 Ep37: Quantum crypto, refunding Bitcoins, and Alpaca problems Will quantum cryptography mean the end of encryption? How was the FBI able to get bitcoins back in the Colonial Pipeline ransomware case? What is the ALPACA attack, and does it make your browsing less secure? https://nakedsecurity.sophos.com/serious-security-post-quantum-cryptography https://nakedsecurity.sophos.com/how-could-the-fbi-recover-btc https://nakedsecurity.sophos.com/alpaca-the-wacky-tls-security-vulnerability With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge (https://www.edithmudge.com) Got questions/suggestions/stories to share? Email: tips@sophos.com Twitter: NakedSecurity (https://twitter.com/nakedsecurity) Instagram: NakedSecurity (https://instagram.com/nakedsecurity)

S3 Ep36: Trickbot coder busted, passwords cracked, and breaches judged Alleged malware coder from the Trickbot gang arrested. 5500 passwords cracked and salaries stolen by "credential stuffing" crook. And we answer a listener's question about just how tough to be when judging a company that's had a breach. https://nakedsecurity.sophos.com/latvian-woman-charged-with-writing-malware https://nakedsecurity.sophos.com/how-to-hack-into-5500-accounts With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge (https://www.edithmudge.com) Got questions/suggestions/stories to share? Email: tips@sophos.com Twitter: NakedSecurity (https://twitter.com/nakedsecurity) Instagram: NakedSecurity (https://instagram.com/nakedsecurity)

S3 Ep35: Apple chip flaw, Have I Been Pwned, and Covid tracker trouble The fascinating tale of a bug that's baked into Apple's latest chip. Why the Aussie data breach warning site HIBP is partnering with the FBI. And a coronavirus tracking toolkit that fell foul of privacy rules. https://nakedsecurity.sophos.com/unpatchable-vuln-in-apples-new-mac-chip https://nakedsecurity.sophos.com/have-i-been-pwned-breach-site-partners-with-the-fbi https://nakedsecurity.sophos.com/regulator-fines-covid-19-tracker With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge (https://www.edithmudge.com) Got questions/suggestions/stories to share? Email: tips@sophos.com Twitter: NakedSecurity (https://twitter.com/nakedsecurity) Instagram: NakedSecurity (https://instagram.com/nakedsecurity)

Apple patches a raft of serious security holes. Police arrest eight suspects in an online scamming ring. We explain how WhatsApp messages from hacked accounts are helping cybercrooks bypass 2FA. https://nakedsecurity.sophos.com/apple-patches-dangerous-security-holes-one-in-active-use-update-now https://nakedsecurity.sophos.com/eight-suspects-busted-in-raid-on-home-delivery-scamming-operation https://nakedsecurity.sophos.com/s3-ep12-a-chat-with-social-engineering-hacker-rachel-tobac-podcast And if you are after the product recommended by our up-and-coming haircare expert Duck, it's spelled Tangle Teezer. (That may look like a typo, but it's not. That's really how they write it.) With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge (https://www.edithmudge.com) Got questions/suggestions/stories to share? Email: tips@sophos.com Twitter: NakedSecurity (https://twitter.com/nakedsecurity) Instagram: NakedSecurity (https://instagram.com/nakedsecurity)

We look into an unnerving case of mixed-up video feeds. We warn you against "going rogue" when you can't get the download you want from the regular place. We explain how Apple's new AirTag product got hacked (again). Stories discussed: https://nakedsecurity.sophos.com/apple-airtags-hacked-again-free-internet https://nakedsecurity.sophos.com/gamers-beware-crooks-take-advantage https://nakedsecurity.sophos.com/those-arent-my-kids-eufy-camera-owners Related stories from the podcast: https://nakedsecurity.sophos.com/omg-i-just-received-someone-elses-security-cam https://nakedsecurity.sophos.com/150000-security-cameras-allegedly-breached https://nakedsecurity.sophos.com/apple-airtag-jailbroken-already With Doug Aamoth and Paul Ducklin. Original music by Edith Mudge (https://www.edithmudge.com) Got questions/suggestions/stories to share? Email: tips@sophos.com Twitter: NakedSecurity (https://twitter.com/nakedsecurity) Instagram: NakedSecurity (https://instagram.com/nakedsecurity)

Apple's brand new AirTag product got hacked already. Things you can learn from Colonial Pipeline's ransomware misfortune. Why Dell patched a bunch of driver bugs going back more than a decade. And the "Is it you in the video?" scam just keeps on coming back. Stories discussed: https://nakedsecurity.sophos.com/apple-airtag-jailbroken-already https://nakedsecurity.sophos.com/dell-fixes-exploitable-holes https://nakedsecurity.sophos.com/is-it-you-in-the-video-dont-fall-for-this Additional links you will find useful: https://news.sophos.com/en-us/using-sophos-edr-to-identify-endpoints-impacted-by-dell https://nakedsecurity.sophos.com/ransomware-dont-expect-a-full-recovery https://news.sophos.com/a-defenders-view-inside-a-darkside-ransomware-attack https://www.sophos.com/ransomware With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge (https://www.edithmudge.com) Got questions/suggestions/stories to share? Email: tips@sophos.com Twitter: NakedSecurity (https://twitter.com/nakedsec

We look into Apple's recent emergency updates that closed off four in-the-wild browser bugs. We explain how the infamous "Flubot" home delivery scam works and how to stop it. We investigate a recent security bug that threatened the PHP ecosystem. https://nakedsecurity.sophos.com/apple-products-hit-by-fourfecta-of-zero-day-exploits https://nakedsecurity.sophos.com/naked-security-live-beware-flubot-the-home-delivery-scam https://nakedsecurity.sophos.com/php-community-sidesteps-its-third-supply-chain-attack With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge (https://www.edithmudge.com) Got questions/suggestions/stories to share? Email: tips@sophos.com Twitter: NakedSecurity (https://twitter.com/nakedsecurity) Instagram: NakedSecurity (https://instagram.com/nakedsecurity)

We investigate whether AirDrop is really as dangerous as researchers claimed. We discuss the pestiferous problem of fake Linux bugs submitted as an academic exercise. We review the latest Sophos Ransomware Report and uncover uncomfortable truths about paying up. https://nakedsecurity.sophos.com/apple-airdrop-has-significant-privacy-leak https://nakedsecurity.sophos.com/linux-team-in-public-bust-up-over-fake-patches https://nakedsecurity.sophos.com/ransomware-dont-expect-a-full-recovery With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge (https://www.edithmudge.com) Got questions/suggestions/stories to share? Email: tips@sophos.com Twitter: NakedSecurity (https://twitter.com/nakedsecurity) Instagram: NakedSecurity (https://instagram.com/nakedsecurity)

How Firefox showed the hand to a widely abused online tracking trick. Why reading from one part of your computer's memory can paradoxically (and sneakily) let you write to another part. And yet more IoT bugs, this time a whole slew of them that go by the moniker "name:wreck". https://nakedsecurity.sophos.com/firefox-88-patches-bugs https://nakedsecurity.sophos.com/serious-security-rowhammer-is-back https://nakedsecurity.sophos.com/iot-bug-report-claims-at-least-100m With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge (https://www.edithmudge.com) Got questions/suggestions/stories to share? Email: tips@sophos.com Twitter: NakedSecurity (https://twitter.com/nakedsecurity) Instagram: NakedSecurity (https://instagram.com/nakedsecurity)

Sophos cybersecurity expert Chester Wisniewski provides excellent, topical and timely commentary on the FBI’s recent use of a malware-like method to forcibly clean up hundreds of servers still infected in the Hafnium aftermath. With Paul Ducklin and Chester Wisniewski https://nakedsecurity.sophos.com/fbi-hacks-into-hundreds-of-infected-us-servers https://nakedsecurity.sophos.com/naked-security-live-hafnium-explained-in-plain-english Original music by Edith Mudge (https://www.edithmudge.com) Got questions/suggestions/stories to share? Email: tips@sophos.com Twitter: NakedSecurity (https://twitter.com/nakedsecurity) Instagram: NakedSecurity (https://instagram.com/nakedsecurity)

We look at the big-money hacks from the 2021 Pwn2Own competition. We investigate the difficulties of hiring an assassin via the dark web. We wrestle with some of the privacy issues relating to COVID-19 infection tracking apps. https://nakedsecurity.sophos.com/pwn2own-2021-zoom-teams-exchange-chrome-and-edge https://nakedsecurity.sophos.com/italian-charged-with-hiring-dark-web-hitman https://nakedsecurity.sophos.com/apple-and-google-block-official-uk-covid-19-app With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge (https://www.edithmudge.com) Got questions/suggestions/stories to share? Email: tips@sophos.com Twitter: NakedSecurity (https://twitter.com/nakedsecurity) Instagram: NakedSecurity (https://instagram.com/nakedsecurity)

How scammers copied a government website almost to perfection. What to do about those fake "bug" hunters who ask for payment for finding "vulnerabilities" that aren't. Why the Dutch data protection authority fined Booking.com for not sending in a data breach disclosure fast enough. https://nakedsecurity.sophos.com/criminals-send-out-fake-census https://news.sophos.com/have-a-domain-name-beg-bounty-hunters https://news.sophos.com/beg-bounty-hunting-why-do-people-do-it https://news.sophos.com/the-unintended-consequences-of-rewarding-beg-bounty-hunters https://nakedsecurity.sophos.com/s3-ep8-a-conversation-with-katie-moussouris https://nakedsecurity.sophos.com/too-slow-booking-com-fined https://nakedsecurity.sophos.com/s3-ep12-a-chat-with-social-engineering-hacker-rachel-tobac https://nakedsecurity.sophos.com/what-should-you-say-if-you-have-a-data-breach With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge (https://www.edithmudge.com) Got questions/suggestions/stories to share? E

Why Apple had to rush out a security update for iDevices. Two cryptographic security holes patched in OpenSSL. How PHP nearly got backdoored by crooks. https://nakedsecurity.sophos.com/apple-devices-get-urgent-patch-for-zero-day-exploit https://nakedsecurity.sophos.com/serious-security-openssl-fixes-two-high-severity-crypto-bugs https://nakedsecurity.sophos.com/php-web-language-narrowly-avoids-dangerous-supply-chain-attack With Doug Aamoth and Paul Ducklin. Original music by Edith Mudge (https://www.edithmudge.com) Got questions/suggestions/stories to share? Email: tips@sophos.com Twitter: NakedSecurity (https://twitter.com/nakedsecurity) Instagram: NakedSecurity (https://instagram.com/nakedsecurity)

How a social engineer ripped off a victim lured in by one of those "small outstanding fee to pay" home delivery scams. The ransomware crooks targeting networks that still haven’t done their Hafnium patches. And the Linux kernel security holes that lay there undiscovered for 15 years. Related articles that we refer to in the show: https://nakedsecurity.sophos.com/beware-the-dhl-delivery-message https://nakedsecurity.sophos.com/watch-out-scummy-scammers-target-home-deliveries https://nakedsecurity.sophos.com/s3-ep12-a-chat-with-social-engineering-hacker-rachel-tobac https://nakedsecurity.sophos.com/blackkingdom-ransomware https://nakedsecurity.sophos.com/serious-security-webshells-explained https://nakedsecurity.sophos.com/naked-security-live-hafnium-explained-in-plain-english https://nakedsecurity.sophos.com/serious-security-the-linux-kernel-bugs-that-surfaced With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge (https://www.edithmudge.com) Got questions/suggestions/stories to

We discuss an iPhone app that allowed anyone to snoop on anyone's calls - but not in the way you might expect. We investigate a data breach where 150,000 surveillance cameras protecting hundreds or thousands of customers were apparently "secured" by a single password... that got leaked onto the internet. And we urge you as keenly as we can: "Don't spread hoaxes, folkses." https://nakedsecurity.sophos.com/how-confidential-are-your-calls https://nakedsecurity.sophos.com/150000-security-cameras-allegedly-breached https://nakedsecurity.sophos.com/facebook-hoaxes-harmless-fun-or-security-risk With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge (https://www.edithmudge.com) Got questions/suggestions/stories to share? Email: tips@sophos.com Twitter: NakedSecurity (https://twitter.com/nakedsecurity) Instagram: NakedSecurity (https://instagram.com/nakedsecurity)

John Noble was Director of Incident Management at the UK's National Cyber Security Centre (NCSC) until his retirement in 2018. During his 40 years of Government service, John specialised in operational delivery and strategic business change. For his work in creating effective partnerships in the run up to the London Olympics, he was made a Commander of the British Empire (CBE) in 2012. John helped to establish the NCSC and led the response to nearly 800 significant cyberincidents. This work has given him unrivalled experience in dealing with and understanding the causes of cyberattacks. John is currently a non-executive director at NHS Digital, where he chairs the Information Assurance and Cyber Security Committee. NHS Digital is the national information and technology partner to the health and social care system in England. Original music by Edith Mudge (https://www.edithmudge.com) Got questions/suggestions/stories to share? Email: tips@sophos.com Twitter: NakedSecurity (https://twitter.com/nakedsecurity

Getting to grips with the HAFNIUM cybercrooks/vulnerabilities/exploits/webshells/attacks. Why it's important to think before you share those home-based selfies. What you need to know about social engineering. How (not!) to prove a point when you're a programmer. https://nakedsecurity.sophos.com/serious-security-webshells-explained-in-the-aftermath-of-hafnium https://nakedsecurity.sophos.com/i-see-you-your-home-working-photos-reveal-more-than-you-think https://nakedsecurity.sophos.com/s3-ep12-a-chat-with-social-engineering-hacker-rachel-tobac https://nakedsecurity.sophos.com/poison-packages-supply-chain-risks-user-hits-python-community With Kimberly Truong and Paul Ducklin. Original music by Edith Mudge (https://www.edithmudge.com) Got questions/suggestions/stories to share? Email: tips@sophos.com Twitter: NakedSecurity (https://twitter.com/nakedsecurity) Instagram: NakedSecurity (https://instagram.com/nakedsecurity)

How to stop security-conscious apps from allowing unencrypted data to escape, and how scammers put social network users under pressure in order to steal their passwords. https://nakedsecurity.sophos.com/keybase-secure-messaging-fixes-photo-leaking-bug https://nakedsecurity.sophos.com/naked-security-live-beware-copyright-scams With Doug Aamoth and Paul Ducklin. Original music by Edith Mudge (https://www.edithmudge.com) Got questions/suggestions/stories to share? Email: tips@sophos.com Twitter: NakedSecurity (https://twitter.com/nakedsecurity) Instagram: NakedSecurity (https://instagram.com/nakedsecurity)

S3 Ep21: Cryptomining clampdown, the 100-ton man, and ScamClub ads The graphics card that wants you to stick to playing games, the man that didn't weigh 100 tons after all, and the marketing gang that used a browser bug to bombard iPhone users with scammy online surveys. https://nakedsecurity.sophos.com/nvidia-announces-official-anti-cryptomining https://nakedsecurity.sophos.com/the-massive-coronavirus-pandemic-it-blunder https://nakedsecurity.sophos.com/scamclub-gang-outed-for-exploiting-iphone-browser With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge (https://www.edithmudge.com) Got questions/suggestions/stories to share? Email: tips@sophos.com Twitter: NakedSecurity (https://twitter.com/nakedsecurity) Instagram: NakedSecurity (https://instagram.com/nakedsecurity)