Smashing Security

A literal insider threat: we head to a Romanian prison where “self-service” web kiosks allowed inmates to run wild. Then we head to the checkout aisle to ask why JavaScript on payment pages went feral, and how new PCI DSS rules are finally muzzling Magecart-style skimmers.

Plus: Graham reveals his new-found superpower with Keyboard Maestro, and Scott describes a slick new way to whip up beautiful how-to videos with Screen Studio.

All...

A critical infrastructure hack hits the headlines - involving default passwords, boasts on Telegram, and a finale that will make a few cyber-crooks wish the ground would swallow them whole. 

Meanwhile we dig into the bit we don't talk about enough: the human cost of defending companies from hackers - stress, burnout, and how better leadership culture can help make security teams safer and saner.

Plus we say a heartfelt "la di...

Your computer's mouse might not be as innocent as it looks - and one ransomware crew has a crisis of conscience that nobody saw coming.

We talk about how something as ordinary as a web page could turn your mouse into a surprisingly nosey neighbour, and why ransomware gangs need to think carefully about their reputation.

Meanwhile, Graham reveals a baked potato hack that might just change your life, and we take an unexpected detou...

Researchers uncovered a security flaw in Salesforce’s shiny new Agentforce. The vulnerability, dubbed "ForcedLeak", let them smuggle AI-read instructions in via humble Web-to-Lead form... and ended up spilling data for the low, low price of five dollars.

And we discuss why data breach communications still default to "we take security seriously" while quietly implying "assume no breach" - until the inevitable ...

Ransomware doesn’t just freeze computers - it can silence alarms too. And when the Natural History Museum in Paris went dark, thieves helped themselves to €600,000 worth of gold in a daring late-night heist. Meanwhile, developers have a new headache: a worm dubbed “Shai Hulud” has wriggled its way through more than 180 npm packages, quietly stealing secrets.

But it’s not all doom and gloom - unless you count your kitchen appliances ...

When "bad actors" stop being hackers and start being... actual actors.

This week, Graham and special guest Jenny Radcliffe play “Hacker or Ham?” (yes, Steven Seagal, we’re looking at you), before diving into a campaign which saw an Iranian gang luring Israeli performers with fake casting calls for a serious film. We unpack why positive lures can short-circuit scepticism just as effectively as fear.

Plus, the UK's ICO says...

Ever wondered what would happen if Burger King left the keys to the kingdom lying around for anyone to use? Ethical hackers did - and uncovered drive-thru recordings, hard-coded passwords, and even the power to open a Whopper outlet on the moon.

Meanwhile, over in Silicon Valley, one AI wunderkind managed to turn a $7 million payday into a career-ending lawsuit by allegedly walking trade secrets straight out the door as he jumped sh...

Your AI reads the small print, and that's a problem. This week in episode 433 of "Smashing Security" we dig into LegalPwn - malicious instructions tucked into code comments and disclaimers that sweet-talks AI into rubber-stamping dangerous payloads (or even pretending they’re a harmless calculator).

Meanwhile, new research from Anthropic reveals that hackers have already used AI agents to break into networks, steal passw...

We unpack how some password managers can be tricked into coughing up your secrets, with a clickjacking sleight-of-hand, what website owners can do to prevent it, and how to lock down your personal password vault.

Then we time-hop to the post-quantum scramble: "harvest-now, decrypt later", Microsoft's 2033 quantum-safe pledge, and whether your printer will survive the update apocalypse.

All this, plus a gloriously dodgy UR...

In episode 431 of the "Smashing Security" podcast, a self-proclaimed crypto-influencer calling himself CP3O thought he had found a shortcut to riches — by racking up millions in unpaid cloud bills.

Meanwhile, we look at the growing threat of EDR-killer tools that can quietly switch off your endpoint protection before an attack even begins.

And for something a little different, we peek into the Internet Archive’s dysto...

A poisoned Google Calendar invite that can hijack your smart home, a man is hospitalised after ChatGPT told him to season his food with… pesticide, and some thoughts on Superman’s latest cinematic outing.

All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley, joined this week by special guest Dave Bittner from The Cyberwire.

Warning: This podcast may co...

Those of you who tuned in to last week's episode (#428) will have heard the big news from my podcast pal Carole that she's decided to move on from her co-hosting duties on the show.

There have been some lovely messages of support sent through for Carole, and indeed for me too. Thank you very much to all of you - it's really heatywarming to hear how much the last 428 episodes have meant to you all, and how much you want t...

The viral women-only dating safety app Tea, built to flag red flags, gets flagged itself - after leaking over 70,000 private images and chat logs. We are talking full-on selfies, ID docs, private DMs, and a dash of 4chan creepiness. Yikes.

Plus, Carole takes us down memory lane as she hangs up her co-host mic after 428 glorious episodes. Expect tea, tears, and Tom Lehrer.

All this is discussed in the latest edition of the "Smashi...

In this episode, Graham warns why it is high time we said goodbye to 2G - the outdated mobile network being exploited by cybercriminals with suitcase-sized SMS blasters. From New Zealand to London, scammers are driving around cities like dodgy Uber drivers, spewing phishing texts to thousands at once.

Meanwhile, Carole unpacks a painfully awkward tale of amour fou, as a 76-year-old Belgian man drives 476 miles to meet his dream woma...

In episode 426 of the "Smashing Security" podcast, Graham reveals how you can hijack a train’s brakes from 150 miles away using kit cheaper than a second-hand PlayStation.

Meanwhile, Carole investigates how Grok went berserk, which didn't stop the Department of Defense signing a contract with Elon’s AI chatbot. So who is responsible when your chatbot becomes a bigot?

Plus: Email headaches, SPF rage, and a glowing review...

In episode 425 of "Smashing Security", Graham reveals how "Call of Duty: WWII" has been weaponised - allowing hackers to hijack your entire PC during online matches, thanks to ancient code and Microsoft’s Game Pass.

Meanwhile, Carole digs into a con targeting the recently incarcerated, with scammers impersonating bail bond agents to fleece desperate families.

All this and more is discussed in the latest edition of th...

A Mexican drug cartel spies on the FBI using traffic cameras and spyware — because "ubiquitous technical surveillance” is no longer just for dystopian thrillers. Graham digs into a chilling new US Justice Department report that shows how surveillance tech was weaponised to deadly effect.

Meanwhile, Carole checks the rear-view mirror on the driverless car industry. Whatever happened to those million Tesla robotaxis Elon Musk prom...

In this episode, Graham unravels Operation Endgame - the surprisingly stylish police crackdown that is seizing botnets, mocking malware authors with anime videos, and taunting cybercriminals via Telegram.

Meanwhile, Carole exposes the AI-generated remote hiring threat. Could your next coworker be a North Korean hacker with a perfect LinkedIn?

And BBC cyber correspondent Joe Tidy joins us to talk about "Ctrl-Alt-Chaos", his ne...

A GCHQ intern forgets the golden rule of spy school — don’t take the secrets home with you — and finds himself swapping Cheltenham for a cell. Meanwhile, an Australian hacker flies too close to the sun, hacks his way into a US indictment, and somehow walks free... only to get booted back Down Under.

Plus: flow states, Bob Mortimer, and the joys of pretending to carry an owl around on a cushion.

All this and more is discussed in the l...