Naked Security

Sophos

We take an expert look at the latest cybersecurity incidents, how they happened, and why. Tune in weekly to learn what you can do to stop bad things from happening to you!

Got questions/suggestions/stories to share?

S3 Trailer: We're back!
Trailer 52 sec

All Episodes

Cybersecurity tips for the holiday season and beyond. Exchange at risk from public exploit. GoDaddy loses passwords for 1.2m users. Longest-lived Windows version ever. Don't make your cookies public. And the day that umbrellas became an anti-DDoS tool. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Nov 25

30 min 37 sec

The infamous Emotet malware makes a comeback. Crooks smirk at the world with a fake FBI warning. Why tubes are also valves. Samba fixes an intriguing bug. The suitcase that needs no handle. And a virtual-versus-real monitor mixup. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Nov 18

33 min 37 sec

We enjoy the Sophos 2022 Threat Report. The world's {oldest, coolest} continously maintained browser. Facebook folds up its Face Recognition feature. Crooks combine a new social engineering scam with a new way of packaging malware. Kaseya ransomware suspect busted in Poland. Oh! No! How to block radio communications in a land with no hills. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Nov 11

31 min 43 sec

Norbert (huzzah for Norbert!) does tech support. Europol digs into the ransomware scene. Microsoft finds a wacky bug in Apple's shell. The Morris worm turns 33. Edge on Linux phans the phlames. Ola! Gibberish peculiarity textual solvage. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Nov 4

29 min 21 sec

Bliss is a hill in wine country. Lessons from a cryptotrading hamster. Ransomware gang hacked back. Docusign phishers go after 2FA codes. Sleep mode considered harmful. Original music by Edith Mudge Got something to share? Email tips@sophos.com

Oct 28

34 min 27 sec

Special minisode! Michelle Farenci knows her stuff, because she's a cybersecurity practitioner inside a cybersecurity company. Learn why thinking like an attacker makes you a better defender. Full transcript: https://nakedsecurity.sophos.com/listen-up-4-cybersecurity-first-purple-teaming

Oct 25

25 min 22 sec

Special minisode! Dr Jason Nurse, Associate Professor in Cybersecurity at the University of Kent, takes on the controversial topic of cyberinsurance. Full transcript: https://nakedsecurity.sophos.com/becybersmart-2021-cyberinsurance

Oct 25

26 min 32 sec

Special minisode! Chester Wisniewski, Principal Research Scientist at Sophos, gives you useful and actionable advice to reduce the risk of supply chain attacks. Full transcript: https://nakedsecurity.sophos.com/becybersmart-2021-supply-chain-attacks

Oct 25

26 min 43 sec

Special Minisode for #Cybermonth! Fraser Howard, Director of Threat Research at Sophos, talks about malware and how to fight it. Fraser's breadth and depth of knowledge in the threat-fighting field is second to none. Full transcript: https://nakedsecurity.sophos.com/becybersmart-2021-week4

Oct 25

28 min

Hook up with our forthcoming Live Malware Demo presentation. Why we think you should celebrate Global Encryption Day. A whole new twist on bogus online "friendships". How to stop your network cables giving you away. And why superglue is NOT a cybersecurity tool! Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Oct 21

37 min 34 sec

Apple (you guessed it!) fixes yet another iPhone 0-day. Apache patches an embarrassing bug and then has to patch the patch. It's Fight The Phish week. The user who got punched right in the nose by a recalcitrant computer. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Oct 14

32 min 9 sec

Apple Pay gets hacked (sort of). DOJ busts four gift card scamming suspects. We give you our top tips for #Cybermonth. Ukrainian Cyberpolice take on ransomware crooks. Oh! No! The user that volunteered to RTFM!? Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Oct 7

34 min 47 sec

Let's Encrypt brings HTTPS to everyone. Researchers rediscover an Outlook data leakage issue. VMware keeps it real. And when the mouse is away, the cat will play. With Paul Ducklin and Doug Aamoth. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Sep 30

32 min 40 sec

A scarily exploitable hole in Microsoft open source code. A simpler take on delivery scams. A Face ID bypass hack, patched for the initial release of iOS 15. And how not to get locked in a cabling closet. Coder? Use Sophos Intelix yourself for free: https://sophos.com/intelix With Paul Ducklin and Doug Aamoth. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Sep 22

38 min 49 sec

Apple patches two zero-day bugs. Microsoft patches one zero-day bug. A security researcher finds a fast-food bug (non-insect sort). And a touchpad user turns right into left, and vice versa. (See also: Big Office bug squashed for September 2021 Patch Tuesday) With Paul Ducklin and Doug Aamoth. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Sep 15

27 min 34 sec

Overlooked security flaw leaves web code vulnerable. A home alarm system that almost anyone can turn off. Some fascinating Firefox bugs fixed. And when you grab your laptop... but it's not yours. With Paul Ducklin and Doug Aamoth. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Sep 9

34 min 7 sec

Security code flushes out security bugs. Recursion: see recursion. Phishing (and lots of it). And the Windows desktop that got so big it imploded. With Paul Ducklin and Doug Aamoth. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Sep 1

37 min 23 sec

More money troubles in cryptotown. Trouble with plastic spaghetti. The mouse that conquered Windows. And the embarrassment when you report one of your very own emails as a phish. With Paul Ducklin and Doug Aamoth. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Aug 26

36 min 48 sec

Copyright infringement scams that beg you to call. An IoT bug that could be exploited for video snooping and more. A hacker steals $600m and then makes a song and dance out of giving it back. And how Doug's PS5 issues could be solved at last. With Paul Ducklin and Chester Wisniewski. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Aug 18

28 min 56 sec

Home and small business routers under attack. A hacking tool favoured by crooks gets hacked. The Navajo Nation's selfless cryptographic contribution to America. A cybercrook gets aggrieved at being ripped off by cybercrooks. With Doug Aamoth and Paul Ducklin. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Aug 12

41 min 59 sec

The latent 0-day that didn't get reported until it was too late. Retro computing: reliving the TRS-80. Crooks that help you install their malware. And a 5-minute billionaire (who ended up with $400). With Doug Aamoth and Paul Ducklin. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Aug 5

36 min 32 sec

Apple's emergency 0-day fix. Two sorts of Windows nightmare, neither involving printers. Twitter hacker busted. And our very own Doug ruins a brand new TV. With Doug Aamoth and Paul Ducklin. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Jul 28

39 min 16 sec

Learning from computer virus history. The PrintNightmare saga continues. Apple puts out a patch, but doesn't say why. Snitch on a crook and earn $10 million. Scammers do grammar. And the Business Email Compromise that wasn't. With Doug Aamoth and Paul Ducklin. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Jul 22

28 min 21 sec

We explain how a format string bug could lock your iPhone out of your own network. We revisit the PrintNightmare saga, which is sort-of fixed but not really. We look back at the 20-year-old Code Red virus. We look at what cybercriminals spend money on (hint: more cybercrime). And in this week's "Oh! No!", we learn how farm animals can disrupt your network. With Doug Aamoth and Paul Ducklin. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Jul 14

32 min 14 sec

The "Independence Day Weekend" ransomware drama. The PrintNightmare nightmare continues. An email hacker gets his conviction overturned. In this week's Oh! No! story, a server room fills with toxic fumes... With Doug Aamoth and Paul Ducklin. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Jul 8

35 min 10 sec

In this special splintersode, Kimberly Truong talks to Eva Galperin, Director of Security at the Electronic Frontier Foundation. Eva's TED talk mentioned in the podcast: What you need to know about Stalkerware. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Jul 5

39 min 38 sec

When you spend tens of pounds but get billed thousands because the system mistook the date for the amount. Our tips to make #SocialMediaDay your safest day on social media yet. And a clip from a great new privacy splintersode we'll be airing next week. With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Jun 30

39 min 34 sec

Ukrainian cops bring out the BFG (Big Fearsome Grinder) and cut open some doors. A repeated request for destructive Linux code enters its 15th year. Peloton exercise bicycles found to be rootable. With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Jun 24

38 min 5 sec

Will quantum cryptography mean the end of encryption? How was the FBI able to get bitcoins back in the Colonial Pipeline ransomware case? What is the ALPACA attack, and does it make your browsing less secure? With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Jun 17

37 min 30 sec

Alleged malware coder from the Trickbot gang arrested. 5500 passwords cracked and salaries stolen by "credential stuffing" crook. And we answer a listener's question about just how tough to be when judging a company that's had a breach. With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Jun 10

37 min 34 sec

The fascinating tale of a bug that's baked into Apple's latest chip. Why the Aussie data breach warning site HIBP is partnering with the FBI. And a coronavirus tracking toolkit that fell foul of privacy rules. With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Jun 3

36 min 10 sec

Apple patches a raft of serious security holes. Police arrest eight suspects in an online scamming ring. We explain how WhatsApp messages from hacked accounts are helping cybercrooks bypass 2FA. With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

May 26

43 min 25 sec

We look into an unnerving case of mixed-up video feeds. We warn you against "going rogue" when you can't get the download you want from the regular place. We explain how Apple's new AirTag product got hacked (again). With Doug Aamoth and Paul Ducklin. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

May 19

38 min 46 sec

Apple's brand new AirTag product got hacked already. Things you can learn from Colonial Pipeline's ransomware misfortune. Why Dell patched a bunch of driver bugs going back more than a decade. And the "Is it you in the video?" scam just keeps on coming back. Additional links you will find useful: https://news.sophos.com/en-us/using-sophos-edr-to-identify-endpoints-impacted-by-dell https://nakedsecurity.sophos.com/ransomware-dont-expect-a-full-recovery https://www.sophos.com/ransomware With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

May 12

38 min 33 sec

We look into Apple's recent emergency updates that closed off four in-the-wild browser bugs. We explain how the infamous "Flubot" home delivery scam works and how to stop it. We investigate a recent security bug that threatened the PHP ecosystem. With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

May 5

38 min 42 sec

We investigate whether AirDrop is really as dangerous as researchers claimed. We discuss the pestiferous problem of fake Linux bugs submitted as an academic exercise. We review the latest Sophos Ransomware Report and uncover uncomfortable truths about paying up. With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Apr 29

47 min 39 sec

How Firefox showed the hand to a widely abused online tracking trick. Why reading from one part of your computer's memory can paradoxically (and sneakily) let you write to another part. And yet more IoT bugs, this time a whole slew of them that go by the moniker "name:wreck". With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Apr 21

48 min 44 sec

Sophos cybersecurity expert Chester Wisniewski provides excellent, topical and timely commentary on the FBI’s recent use of a malware-like method to forcibly clean up hundreds of servers still infected in the Hafnium aftermath. With Paul Ducklin and Chester Wisniewski Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Apr 16

19 min 55 sec

We look at the big-money hacks from the 2021 Pwn2Own competition. We investigate the difficulties of hiring an assassin via the dark web. We wrestle with some of the privacy issues relating to COVID-19 infection tracking apps. With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Apr 14

48 min

How scammers copied a government website almost to perfection. What to do about those fake "bug" hunters who ask for payment for finding "vulnerabilities" that aren't. Why the Dutch data protection authority fined Booking.com for not sending in a data breach disclosure fast enough. Useful podcasts and videos mentioned in this episode: https://nakedsecurity.sophos.com/s3-ep12-a-chat-with-social-engineering-hacker-rachel-tobac https://nakedsecurity.sophos.com/s3-ep8-a-conversation-with-katie-moussouris https://nakedsecurity.sophos.com/what-should-you-say-if-you-have-a-data-breach With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Apr 7

46 min 9 sec

Why Apple had to rush out a security update for iDevices. Two cryptographic security holes patched in OpenSSL. How PHP nearly got backdoored by crooks. With Doug Aamoth and Paul Ducklin. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Apr 1

37 min 37 sec

How a social engineer ripped off a victim lured in by one of those "small outstanding fee to pay" home delivery scams. The ransomware crooks targeting networks that still haven’t done their Hafnium patches. And the Linux kernel security holes that lay there undiscovered for 15 years. Related articles that we refer to in the show: https://nakedsecurity.sophos.com/beware-the-dhl-delivery-message https://nakedsecurity.sophos.com/watch-out-scummy-scammers https://nakedsecurity.sophos.com/s3-ep12-a-chat-with-social-engineering-hacker-rachel-tobac https://nakedsecurity.sophos.com/blackkingdom-ransomware https://nakedsecurity.sophos.com/serious-security-webshells-explained https://nakedsecurity.sophos.com/naked-security-live-hafnium-explained https://nakedsecurity.sophos.com/serious-security-the-linux-kernel-bugs With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Mar 25

47 min

We discuss an iPhone app that allowed anyone to snoop on anyone's calls - but not in the way you might expect. We investigate a data breach where 150,000 surveillance cameras protecting hundreds or thousands of customers were apparently "secured" by a single password... that got leaked onto the internet. And we urge you as keenly as we can: "Don't spread hoaxes, folkses." With Kimberly Truong, Doug Aamoth and Paul Ducklin. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Mar 17

47 min 26 sec

John Noble was Director of Incident Management at the UK's National Cyber Security Centre (NCSC) until his retirement in 2018. During his 40 years of Government service, John specialised in operational delivery and strategic business change. For his work in creating effective partnerships in the run up to the London Olympics, he was made a Commander of the British Empire (CBE) in 2012. John helped to establish the NCSC and led the response to nearly 800 significant cyberincidents. This work has given him unrivalled experience in dealing with and understanding the causes of cyberattacks. John is currently a non-executive director at NHS Digital, where he chairs the Information Assurance and Cyber Security Committee. NHS Digital is the national information and technology partner to the health and social care system in England. Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Mar 15

29 min 39 sec

Getting to grips with the HAFNIUM gang/vulnerabilities/exploits/webshells/attacks. Why it's important to think before you share those home-based selfies. What you need to know about social engineering. How (not!) to prove a point when you're a programmer. With Kimberly Truong and Paul Ducklin Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Mar 10

32 min 47 sec

How to stop security-conscious apps from allowing unencrypted data to escape, and how scammers put social network users under pressure in order to steal their passwords. With Doug Aamoth and Paul Ducklin Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Mar 4

38 min 5 sec

The graphics card that wants you to stick to playing games, the man that didn't weigh 100 tons after all, and the marketing gang that used a browser bug to bombard iPhone users with scammy online surveys. With Kimberly Truong, Doug Aamoth and Paul Ducklin Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Feb 25

45 min 40 sec

How a bug hunter snuck into the internal networks of 35 megacorporations. Why romance scams are going stronger than ever (and how to avoid them). What to do about those tempting but treacherous "tax refund" messages. And a listener tells us how he got a bit carried away while he was gardening... With Kimberly Truong, Doug Aamoth and Paul Ducklin Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Feb 17

53 min 9 sec

In this special mini-episode, Paul Ducklin talks to Sophos cybersecurity expert Chester Wisniewski about bug bounty hunting. How does bug bounty hunting work? What should you do if you get a bug report that doesn't follow established protocol? Chester tells you how to deal with so-called "beg bounties", where self-styled "experts" beg you for money or even threaten you with ill-defined "problems" they claim to have found. https://news.sophos.com/en-us/have-a-domain-name-beg-bounty-hunters-may-be-on-their-way https://nakedsecurity.sophos.com/beware-of-technical-experts-bombarding-you-with-bug-reports Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Feb 12

16 min 28 sec

We delve into Google's tight-lipped Chrome bugfix, explain how a Belgian researcher awarded himself 111,848 cups of coffee, and discuss the audacious but thankfully temporary theft of the Perl.com domain. With Kimberly Truong, Doug Aamoth and Paul Ducklin Original music by Edith Mudge Got questions/suggestions/stories to share? Email tips@sophos.com Twitter @NakedSecurity Instagram @NakedSecurity

Feb 11

47 min 55 sec