Smashing Security

When "bad actors" stop being hackers and start being... actual actors.This week, Graham and special guest Jenny Radcliffe play “Hacker or Ham?” (yes, Steven Seagal, we’re looking at you), before diving into a campaign which saw an Iranian gang luring Israeli performers with fake casting calls for a serious film. We unpack why positive lures can short-circuit scepticism just as effectively as fear.Plus, the UK's ICO says students are increasingly hacking their own schools.Meanwhile, Graham heads to 1960s Oxford with Endeavour, while Jenny investigates the Wirral’s mysterious "Catman".All this, and more, in episode 435 of the "Smashing Security" podcast.EPISODE LINKS:Shai-Hulud Worm Compromises npm Ecosystem in Supply Chain Attack - Unit 42.Jaguar Land Rover extends production shutdown after cyber-attack - The Guardian.AI-Driven Deepfake Military ID Fraud Campaign by Kimsuky APT - Genians.Israel says suspected Iranian hackers targeted actors in phishing attack - Iran International.Iranian Educated Manticore Targets Leading Tech Academics - Check Point.Children hacking their own schools for 'fun', watchdog warns - BBC News.Endeavour - ITVx.Crowds armed with torches hunt the “cat man” every night - Liverpool Echo.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Vanta - Expand the scope of your security program with market-leading compliance automation... while saving time and money. Smashing Security listeners get $1000 off!Adaptive Security - request a custom demo featuring a real CEO deepfake simulation today from adaptivesecurity.com.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

Ever wondered what would happen if Burger King left the keys to the kingdom lying around for anyone to use? Ethical hackers did - and uncovered drive-thru recordings, hard-coded passwords, and even the power to open a Whopper outlet on the moon.Meanwhile, over in Silicon Valley, one AI wunderkind managed to turn a $7 million payday into a career-ending lawsuit by allegedly walking trade secrets straight out the door as he jumped ship for a rival.All this and much more is discussed in episode 434 of the award-winning “Smashing Security” podcast with computer security veteran Graham Cluley, joined this week by special guest Lianne Potter. Hear them they chew over catastrophic fast-food security, insider threats with extra fries, and why even the biggest brains in AI can't stop themselves from doing something utterly stupid.EPISODE LINKS:We Hacked Burger King: How Authentication Bypass Led to Drive-Thru Audio Surveillance - Internet archive wayback machine.DMCA notice - Bobdahacker.xAI sues former engineer, alleging he stole trade secrets after being paid $7M - San Francisco Standard.xAI vs Xuechen Li - Court documents.Classic Reload.Digger - Classic Reload.Kingdom of Kroz - Classic Reload.The Bad Movie Bible - YouTube.Shark Attack 3: Megalodon - YouTube.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORED BY:Drata - The world’s most advanced Trust Management platform – making risk and compliance management accessible, continuous, and 10x more automated than ever before.Trelica by 1Password - Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps - whether managed or unmanaged.Vanta - Expand the scope of your security program with market-leading compliance automation... while saving time and money. Smashing Security listeners get $1000 off!SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

Your AI reads the small print, and that's a problem. This week in episode 433 of "Smashing Security" we dig into LegalPwn - malicious instructions tucked into code comments and disclaimers that sweet-talks AI into rubber-stamping dangerous payloads (or even pretending they’re a harmless calculator).Meanwhile, new research from Anthropic reveals that hackers have already used AI agents to break into networks, steal passwords, sift through stolen data, and even write custom ransom notes. In other words, one hacker with an AI helper can work like an entire team of cybercriminals.Plus: a joyous geek detour into keyboard history, and the most diabolically annoying, fully functional AI-generated CAPTCHA that you will love to inflict on your friends.EPISODE LINKS:LegalPwn: Abusing Legal Disclaimers to Trigger Prompt Injections - Pangea Labs.LegalPwn: Tricking LLMs by burying badness in lawyerly fine print - The Register.LegalPwn Attack Tricks GenAI Tools Into Misclassifying Malware as Safe Code - HackRead.One long sentence is all it takes to make LLMs misbehave - The Register.Londoners give up eldest children in public Wi-Fi security horror show - The Guardian.Targeted social engineering is en vogue as ransom payment sizes increase - Coveware.State of Malware 2025 - ThreatDown.Cybercrime in the Age of AI - ThreatDown.Threat Intelligence Report: August 2025 - Anthropic.The Day Return Became Enter - Marcin Wichary.Ethan Mollick’s terrible AI-generated CAPTCHAs - Twitter.The very worst AI-generated CAPTCHA? - Claude.ai.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORED BY:Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

We unpack how some password managers can be tricked into coughing up your secrets, with a clickjacking sleight-of-hand, what website owners can do to prevent it, and how to lock down your personal password vault.Then we time-hop to the post-quantum scramble: "harvest-now, decrypt later", Microsoft's 2033 quantum-safe pledge, and whether your printer will survive the update apocalypse.All this, plus a gloriously dodgy URL “shadyfier,” and turning the iconic iMac G4 into a modern media hub.All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veteran Graham Cluley, joined this week by special guest Thom Langford.EPISODE LINKS:DOM-based Extension Clickjacking: Your Password Manager Data at Risk - Marek Tóth.Major password managers can leak logins in clickjacking attacks - Bleeping Computer.Microsoft to Make All Products Quantum Safe by 2033 - Infosecurity Magazine.Shady URL.DockLite G4 - Juicy Crumb.I perfected the iMac G4 - YouTube.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

In episode 431 of the "Smashing Security" podcast, a self-proclaimed crypto-influencer calling himself CP3O thought he had found a shortcut to riches — by racking up millions in unpaid cloud bills.Meanwhile, we look at the growing threat of EDR-killer tools that can quietly switch off your endpoint protection before an attack even begins.And for something a little different, we peek into the Internet Archive’s dystopian Wayforward Machine and take a detour to Mary Shelley’s resting place in Bournemouth.All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley, joined this week by special guest Allan "Ransomware Sommelier" Liska.Episode links:Crypto Influencer Sentenced to Prison for Multi-Million Dollar “Cryptojacking” Scheme - US Department of Justice.Ransomware crews don't care about your endpoint security – they've already killed it - The Register.Way Forward Machine - The Internet Archive.Mary Shelley’s grave - Atlas Obscura.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)Sponsored by:Proton Drive - Protect your files with end-to-end encryption in Switzerland’s secure cloud — only on Proton Drive.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW US:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix". Privacy & Opt-Out: https://redcircle.com/privacy

A poisoned Google Calendar invite that can hijack your smart home, a man is hospitalised after ChatGPT told him to season his food with… pesticide, and some thoughts on Superman’s latest cinematic outing.All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley, joined this week by special guest Dave Bittner from The Cyberwire.Warning: This podcast may contain nuts, adult themes, and rude language.Episode links:Invitation Is All You Need: Invoking Gemini for Workspace Agents with a Simple Google Calendar Invite - SafeBreach.Invitation attack curses - YouTube.Invitation attack opens shutters - YouTube.Guy Gives Himself 19th Century Psychiatric Illness After Consulting With ChatGPT - 404 Media.Superman (2025) trailer - YouTube.Billy Joel: And so it goes - HBO Max.Billy Joel: And so it goes trailer - YouTube.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)Sponsored by:Proton - Break free from Gmail. You should be able to choose what happens to your data. With Proton, only you can read your emails.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!FOLLOW US:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix". Privacy & Opt-Out: https://redcircle.com/privacy

Those of you who tuned in to last week's episode (#428) will have heard the big news from my podcast pal Carole that she's decided to move on from her co-hosting duties on the show.There have been some lovely messages of support sent through for Carole, and indeed for me too. Thank you very much to all of you - it's really heatywarming to hear how much the last 428 episodes have meant to you all, and how much you want the show to go on.And so - as I said last week - it will carry on. Next week there will be a regular edition of "Smashing Security" with a special guest well known to all of you, and I plan to carry on as normal every week with guests after that...This week though I felt like I needed to catch my breath, and take a break. But I didn't want to leave you without something to listen to...So, here is a special edition of "Smashing Security" with a couple of clips from recent episodes of its sister show "The AI Fix", which I co-host with Mark Stockley.If you enjoy "The AI Fix," please do follow it in your favourite podcast apps and tell your friends!Until next week, cheerio bye bye.Episode links:The AI Fix.The AI Fix on Apple Podcasts.The AI Fix on Spotify.The AI Fix on Pocketcasts.The AI Fix on Overcast.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!FOLLOW US:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix". Privacy & Opt-Out: https://redcircle.com/privacy

The viral women-only dating safety app Tea, built to flag red flags, gets flagged itself - after leaking over 70,000 private images and chat logs. We are talking full-on selfies, ID docs, private DMs, and a dash of 4chan creepiness. Yikes.Plus, Carole takes us down memory lane as she hangs up her co-host mic after 428 glorious episodes. Expect tea, tears, and Tom Lehrer.All this is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.Warning: This podcast may contain nuts, adult themes, and rude language.Episode links:Update regarding cybersecurity incident - Tea.Hackers steal images from women's dating safety app that vets men - BBC News.A Second Tea Breach Reveals Users’ DMs About Abortions and Cheating - 404 Media.American musical satirist Tom Lehrer dies at 97 - BBC News.Tom Lehrer website.Tom Lehrer sings The Elements, live in Copenhagen, 1967 - YouTube.Tom Lehrer sings “New Math” (animated) - YouTube.Carole’s Substack.Libby - Library app.Shokz UK.Two Birds Yoga - YouTube.Thermapen.BBC Sounds.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)Sponsored by:Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Trelica by 1Password - Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps - whether managed or unmanaged.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!FOLLOW US:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks. Privacy & Opt-Out: https://redcircle.com/privacy

In this episode, Graham warns why it is high time we said goodbye to 2G - the outdated mobile network being exploited by cybercriminals with suitcase-sized SMS blasters. From New Zealand to London, scammers are driving around cities like dodgy Uber drivers, spewing phishing texts to thousands at once.Meanwhile, Carole unpacks a painfully awkward tale of amour fou, as a 76-year-old Belgian man drives 476 miles to meet his dream woman... only to be greeted by her very-much-still-husband at the gate.Plus: Sky Arts painting competitions get a thumbs up, Mark Zuckerberg never loses at board games, and the scandalous Facebook memoir Meta tried to silence.All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.Warning: This podcast may contain nuts, adult themes, and rude language.Episode links:Teen arrested for 'smishing scam' using technology never before seen in New Zealand - RNZ.Op Orca — smishing scam smashed - New Zealand police.SMS blasting incidents are rising - Risky Bulletin.Bangkok busts SMS Blaster sending 1 million scam texts from a van - Bleeping Computer.Police warn of SMS scams as ‘blaster’ is used to send thousands of texts - The Guardian.Reports of SMS Messages Sent by Fake Base Stations - Commsrisk.Keeping your Android device safe from text message fraud - Google Security blog.What is Paris syndrome? How culture shock can kill a trip - The Independent.Belgian man crushed after driving nearly 500 miles to meet French model he believed was his 'future wife' - Fox News. French is the language of love: myth, reality, and romance - ICLS.Romance scam victim travels 700km 'to marry French beauty queen' - BBC News.Un homme se présente chez moi pour être mon futur mari… - YouTube. Sky Artist of the Year.Careless People  - The Guardian Bookshop. Careless People: We read the book that Mark Zuckerberg doesn’t want you to read - Slate. Smashing Security merchandise (t-shirts, mugs, stickers and stuff)Sponsored by:Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off! SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!FOLLOW US:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks. Privacy & Opt-Out: https://redcircle.com/privacy

In episode 426 of the "Smashing Security" podcast, Graham reveals how you can hijack a train’s brakes from 150 miles away using kit cheaper than a second-hand PlayStation. Meanwhile, Carole investigates how Grok went berserk, which didn't stop the Department of Defense signing a contract with Elon’s AI chatbot. So who is responsible when your chatbot becomes a bigot?Plus: Email headaches, SPF rage, and a glowing review for... Taskmaster SuperMax Plus?All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.Warning: This podcast may contain nuts, adult themes, and rude language.Episode links:Schoolboy hacks into city's tram system - The Telegraph.Caboose - Wikipedia.Neil Smith discusses his findings - Twitter thread.End-of-Train and Head-of-Train Remote Linking Protocol - CISA.The Cheap Radio Hack That Disrupted Poland’s Railway System - Wired.Grok, Elon Musk’s AI Chatbot, Shares Antisemitic Posts on X - The New York Times.X ordered its Grok chatbot to ‘tell like it is.’ Then the Nazi tirade began - Washington Post. Hacker uses Elmo's X account to post antisemitic rant and demand release of Epstein files - ABC News.Elon Musk Announces Sensuous Grok AI Companion - Mashable.Grok Rolls Out Pornographic Anime Companion, Lands Department of Defense Contract - The Rolling Stone. Learn DMARC. TASKMASTER SUPERMAX+.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)Sponsored by:Adaptive Security - request a custom demo featuring a real CEO deepfake simulation today from adaptivesecurity.com.Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Trelica by 1Password - Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps - whether managed or unmanaged.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!FOLLOW US:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks. Privacy & Opt-Out: https://redcircle.com/privacy

In episode 425 of "Smashing Security", Graham reveals how "Call of Duty: WWII" has been weaponised - allowing hackers to hijack your entire PC during online matches, thanks to ancient code and Microsoft’s Game Pass. Meanwhile, Carole digs into a con targeting the recently incarcerated, with scammers impersonating bail bond agents to fleece desperate families.All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.Warning: This podcast may contain nuts, adult themes, and rude language.Episode links:Call of Duty: WWII trailer - YouTube.Warning: Do NOT Play COD WWII on PC Gamepass - YouTube.2017 Wichita swatting - Wikipedia.Call of Duty: WW2 on PC Game Pass yanked offline amid reports security exploits are leaving players with screens full of smut - Eurogamer.Common Bail Bond Scams and How to Avoid Them - US Attorneys.Can I Check out Another Person's Criminal Record? - Nolo. Belton Bail Bond Testimonials.‘They know everything’: Families of inmates at Sumner County Jail targeted in bail scam - Nashville WKRN.Latest scam targets NJ families of those who were recently arrested, demanding bail - New Jersey 1050.John & Paul: A Love Story in Songs by Ian Leslie review – let it be the new gold standard in Beatles studies - The Guardian.Introducing 'John & Paul: A Love Story In Songs' - Ian Leslie.Charles Paris mysteries - BBC Radio 4.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)Sponsored by:Adaptive Security - request a custom demo featuring a real CEO deepfake simulation today from adaptivesecurity.com.Drata - The world’s most advanced Trust Management platform – making risk and compliance management accessible, continuous, and 10x more automated than ever before.Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off! SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!FOLLOW US:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks. Privacy & Opt-Out: https://redcircle.com/privacy

A Mexican drug cartel spies on the FBI using traffic cameras and spyware — because "ubiquitous technical surveillance” is no longer just for dystopian thrillers. Graham digs into a chilling new US Justice Department report that shows how surveillance tech was weaponised to deadly effect.Meanwhile, Carole checks the rear-view mirror on the driverless car industry. Whatever happened to those million Tesla robotaxis Elon Musk promised by 2020? Spoiler: they’re here — sort of — but they sometimes drive into oncoming traffic.Plus: Leighton House, heatwave survival gadgets, and an unflushable toilet situation (not what you think).All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.Warning: This podcast may contain nuts, adult themes, and rude language.Episode links:Mexican drug cartel hacker spied on FBI official’s phone to track and kill informants, report says - TechCrunch.Audit of the Federal Bureau of Investigation's Efforts to Mitigate the Effects of Ubiquitous Technical Surveillance - US Department of Justice Office of the Inspector General.Tesla driver tells police he was using 'self-drive' system when his car hit a parked police vehicle - AP News.‘Lidar is lame’: why Elon Musk’s vision for a self-driving Tesla taxi faltered - The Guardian.Tesla invited influencers to test its robotaxi. Here's what they had to say - USA Today Europe.Elon Musk Hails 'Successful' Tesla Robotaxis Launch in Austin Amid Reported Glitches - eWEEK.A Fatal Tesla Crash Shows the Limits of Full Self-Driving - Bloomberg.The Arab Hall at Leighton House.Spandau Ballet’s “Gold” - shot at Leighton House!Shark FlexBreeze Fan With InstaCool Mist Attachment - Shark.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)Sponsored by:Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Trelica by 1Password - Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps - whether managed or unmanaged.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!FOLLOW US:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks. Privacy & Opt-Out: https://redcircle.com/privacy

In this episode, Graham unravels Operation Endgame - the surprisingly stylish police crackdown that is seizing botnets, mocking malware authors with anime videos, and taunting cybercriminals via Telegram.Meanwhile, Carole exposes the AI-generated remote hiring threat. Could your next coworker be a North Korean hacker with a perfect LinkedIn?And BBC cyber correspondent Joe Tidy joins us to talk about "Ctrl-Alt-Chaos", his new book diving into the murky world of teenage hackers, ransomware gangs, and the strange motivations that lie behind digital mayhem.Plus: competitive pond husbandry, dead slugs, Hitster the board game, and a shoutout to the AI startup that hijacked Graham's SEO.All this and more is discussed in episode 423 of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault - it's like a cauldron of life... but for cybersecurity.Warning: This podcast may contain nuts, adult themes, and rude language.Episode links:Operation Endgame.Ctrl+Alt+Chaos.Lizard Squad Member: Why I Took Down Xbox and PlayStation - YouTube.Reckoning With the Rise of Deepfakes - The Regulatory Review.Deepfake interviews: Navigating the growing AI threat in recruitment and organizational security - Fast Company. Why Your Hiring Process is Now a Cybersecurity Vulnerability - Pindrop.Best Practices for Defeating Deepfake Candidate Fraud - Dice Hiring.Phanpy - A minimalistic opinionated Mastodon web client.How to make a mini pond - Gardener’s World.Hitster board game.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)Sponsored by:Vanta– Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Flare- Uncover the latest threats across the dark web and Telegram. Start your free trial today.Trelica by 1Password - Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps - whether managed or unmanaged.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!FOLLOW US:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks. Privacy & Opt-Out: https://redcircle.com/privacy

A GCHQ intern forgets the golden rule of spy school — don’t take the secrets home with you — and finds himself swapping Cheltenham for a cell. Meanwhile, an Australian hacker flies too close to the sun, hacks his way into a US indictment, and somehow walks free... only to get booted back Down Under.Plus: flow states, Bob Mortimer, and the joys of pretending to carry an owl around on a cushion.All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.Warning: This podcast may contain nuts, adult themes, and rude language.Episode links:The Cheltenham Doughnut - Wikipedia.Summer placements - GCHQ.Spy school dropout: GCHQ intern jailed for swiping classified data - The Register.Former GCHQ intern jailed for taking top secret files home - Crown Prosecution Service.United States government says it will deport Australian hacker David Kee Crees  - ABC News.Australian national known as “DR32” sentenced in U.S. federal court  – DataBreaches.ICE takes steps to deport the Australian hacker known as “DR32” – DataBreaches.Aussie Travel Cover has hundreds of thousands of records stolen in hacking, policy holders not informed - ABC News.Australian cybercriminal to be deported from US - Information Age.Government sites hit by Aussie Travel Cover hacker - ZDNET.Abdilo, Australia-based computer hacker, live streams attack on US education sites - ABC News.Bob Mortimer's Pet Owl - YouTube.And Away… by Bob Mortimer - Simon & Schuster.Flow by Mihaly Csikszentmihaly -  HarperCollins.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)Sponsored by:Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Flare - Uncover the latest threats across the dark web and Telegram. Start your free trial today.Trelica by 1Password - Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps - whether managed or unmanaged.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!FOLLOW US:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks. Privacy & Opt-Out: https://redcircle.com/privacy

What do a sleazy nightclub carpet, Google’s gaping privacy hole, and an international student conned by fake ICE agents have in common? This week’s episode of the "Smashing Security" podcast obviously.Graham explains how a Singaporean bug-hunter cracked Google’s defences and could brute-force your full phone number. Meanwhile, Carole dives into a chilling scam where ICE impersonators used fear, spoofed numbers, and... Apple gift cards to extort terrified migrants.Plus: Nazis, door safety, and the age-old struggle of telling Ralph Fiennes from Liam Neeson.All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.Warning: This podcast may contain nuts, adult themes, and rude language.Episode links:Bruteforcing the phone number of any Google user - Brutecat.Leaking the phone number of any Google user - YouTube.Researcher Found Flaw to Discover Phone Numbers Linked to Any Google Account - The Hacker News.Google fixes flaw that could unmask YouTube users' email addresses - Bleeping Computer.ICE Scammers Are On The Rise: What To Do  - Newsweek.Student visa holder tricked by fake ICE agent scam, loses thousands  - Newsweek.Conspiracy - IMDB.Schindler’s List - IMDB.Dutch Reach car door opening method - The AA.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)Sponsored by:Drata - The world’s most advanced Trust Management platform – making risk and compliance management accessible, continuous, and 10x more automated than ever before.Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Flare - Uncover the latest threats across the dark web and Telegram. Start your free trial today.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!FOLLOW US:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks. Privacy & Opt-Out: https://redcircle.com/privacy

A bizarre case of political impersonation, where Trump’s top aide Susie Wiles is cloned (digitally, not biologically — we think), and high-ranking Republicans start getting invitations to link up with "her" on Telegram to share their Trump pardon wishlists. Was it a deepfake? Or just someone with a halfway decent impression and access to a shady data broker?Meanwhile, we take a worryingly familiar journey into the mental health crisis in the UK — and how TikTok is stepping in with advice like “eat an orange in the shower” to cure your anxiety. Spoiler: it won’t. But it might make your bathroom smell nice.Plus: a nostalgic tech support tale involving a CRT monitor, a wooden door, and an unexpected shade of brown.All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.Warning: This podcast may contain nuts, adult themes, and rude language.Episode links:Federal Authorities Probe Effort to Impersonate White House Chief of Staff - Wall Street Journal.FBI probes effort to impersonate White House chief of staff Susie Wiles, sources say - CBS News.The Trump Administration Accidentally Texted Me Its War Plans - The Atlantic.The Trump campaign is still being hacked - Popular Information.The Big Mental Health Report - Mind.Mental Health Pressures - British Medical Association. More than half of top 100 mental health TikToks contain misinformation, study finds  - The Guardian.‘They thought they were doing good but it made people worse’: why mental health apps are under scrutiny - The Guardian.How to find therapy or counselling - Mind.Carole in the shower with an orange? - Twitter.Matter - modern read-later app for iPhone, iPad, and web.Techie fixed a ‘brown monitor’ by closing a door - The Register.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)Sponsored by:MetaCompliance - MetaCompliance's Security Awareness Planner is your free 12-month roadmap to reduce risk and build a culture of cyber awareness.Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Harmonic - Let your teams adopt AI tools safely by protecting sensitive data in real time with minimal effort. Harmonic Security gives you full control and stops leaks so your teams can innovate confidently.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!FOLLOW US:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks. Privacy & Opt-Out: https://redcircle.com/privacy

Why is a cute Star Wars fan website now redirecting to the CIA? How come Cambodia has become the world's hotspot for scam call centres? And can a WhatsApp image really drain your bank account with a single download, or is it just a load of hacker hokum?All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Allan Liska.Warning: This podcast may contain nuts, adult themes, and rude language.Episode links:How I found a Star Wars website made by the CIA - Ciro Santilli on YouTube.How the CIA failed Iranian informants in its secret war with Tehran - Reuters.Isis and al-Qaeda sending coded messages through eBay, pornography and Reddit - Independent.Games Without Frontiers: Investigating Video Games as a Covert Channel - IEEE.General David Petraeus used clever Gmail trick during affair - Network World.Cambodia is home to world’s most powerful criminal network: report - SCMP.How to protect yourself from suspicious messages and scams- WhatsApp.Is WhatsApp Safe? Tips for Staying Secure - WhatsApp.Hacked on WhatsApp – how to stay safe when using the messaging app - BBC.Just a GIF Image Could Have Hacked Your Android Phone Using WhatsApp - The Hacker News.Kon-Tiki: The Epic Raft Journey Across the Pacific - YouTube.Still Standing with Jonny Harris - CBC.Niki de Saint Phalle & Jean Tinguely - Myths & Machines - Hauser & Wirth.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)Sponsored by:Vanta– Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!1Password Extended Access Management– Secure every sign-in for every app on every device.MetaCompliance - MetaCompliance's Security Awareness Planner is your free 12-month roadmap to reduce risk and build a culture of cyber awareness.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!FOLLOW US:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks. Privacy & Opt-Out: https://redcircle.com/privacy

In this week’s episode, Graham investigates the mysterious Iberian Peninsula blackout (aliens? toaster? cyberattack?), Carole dives in the UK legal aid hack that exposed deeply personal data of society's most vulnerable, and Dinah Davis recounts how Instagram scammers hijacked her daughter’s account - and how a parental control accidentally saved the day.All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by special guest Dinah Davis.Warning: This podcast may contain nuts, adult themes, and rude language.Episode links:418 - I’m a teapot - MDN Web Docs.2025 Iberian Peninsula blackout - Wikipedia.What could have caused the major power outage in Spain and Portugal? Experts weigh in - Euro News.Spain investigates cyber weaknesses in blackout probe - Financial Times.Report on Working Conditions at INCIBE, the company Investigating the blackout - El Cierre Digital.My Teen's Instagram Account was Hacked - Dinah Davis.We Got Her Account Back, Here’s What the Forensics Revealed - Dinah Davis.'Significant amount' of private data stolen in Legal Aid hack  - BBC News.Civil legal aid: millions still without access to justice - The Law Society.Civil representation - Legal aid data - GOV.UK.Legal aid statistics England and Wales bulletin Oct to Dec 2024  - GOV.UK.Funding for justice down 22% since 2010 - Bar Council. The Assembly - ITV.The Assembly review – this celebrity interview show is going to be massive - The Guardian.The Assembly: Inside the most groundbreaking TV show of the year - The Independent.David Tennant gets emotional from neurodivergent musicians - YouTube.OceanMan.All the Colours of the Dark by Chris Whitaker - Orion Books. Smashing Security merchandise (t-shirts, mugs, stickers and stuff)Sponsored by:Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!1Password Extended Access Management – Secure every sign-in for every app on every device.MetaCompliance - MetaCompliance's Security Awareness Planner is your free 12-month roadmap to reduce risk and build a culture of cyber awareness.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!FOLLOW US:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks. Privacy & Opt-Out: https://redcircle.com/privacy

Don't get duped, doxxed, or drained! In this episode of "Smashing Security" we dive into the creepy world of sextortion scams, and investigate how crypto wallet firm Ledger's Discord server was hijacked in an attempt to phish for cryptocurrency recovery phrases.All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.Plus! Don't miss our featured interview with Drata's Matt Hillary.Warning: This podcast may contain nuts, adult themes, and rude language.Episode links:Ledger secures Discord after hacker bot tried to steal seed phrases - CoinTelegraph.Binance Founder CZ Warns: Ledger Discord Hack Targets Recovery Phrases - CoinPedia.Ledger confirms physical scam letters requesting seed phrase in fake security upgrade - The Block.Physical addresses of 270K Ledger owners leaked on hacker forum - Bleeping Computer.Criminals are mailing altered Ledger devices to steal cryptocurrency - Bleeping Computer.New Hello Pervert Email Attack Warning — ‘I Know Where You Live’ - Forbes.‘Hello pervert’: the sextortion scam claiming to have videoed you - The Guardian."Hello Pervert" Email Is A Total Scam - What You Need To Know - Malware Tips.Scam email sent from my own email address - Microsoft Community.Thunderbolts* review: 'The greatest Marvel offering in years' - BBC.Limelight, Exemplar - BBC Radio 4.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)Sponsored by:Drata - The world’s most advanced Trust Management platform – making risk and compliance management accessible, continuous, and 10x more automated than ever before.Dashlane - Protect against the #1 cause of data breaches - poor password habits. Save 25% off a new business plan, or 35% off a personal Premium plan!Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!FOLLOW US:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks. Privacy & Opt-Out: https://redcircle.com/privacy

Brits face empty shelves and suspended meal deals as cybercriminals hit major high street retailers, and a terminated Disney employee gets revenge with a little help with Wingdings. Plus Graham challenges Carole to a game of "Malware or metal?", and we wonder just happens when you have sex on top of a piano?All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.Plus! Don't miss our featured interview with Jon Cho of Dashlane.Warning: This podcast may contain nuts, adult themes, and rude language.Episode links:Why is the M&S cyber attack chaos taking so long to resolve? - BBC News.M&S 'had no plan' for cyber attacks, insider claims, with 'staff left sleeping in the office amid paranoia and chaos' - Sky News.Hackers target the Co-op as police probe M&S cyber attack - BBC News.Harrods latest retailer to be hit by cyber attack - BBC News.Alleged ‘Scattered Spider’ Member Extradited to US - Krebs on Security.British 'ringleader' of hacking group 'behind M&S cyber attack' fled his home after 'masked thugs burst in and threatened him with blowtorches' - Daily Mail.Incidents impacting retailers – recommendations - NCSC.Ex-Disney employee gets 3 years in the clink for goofy attacks on mousey menus - The Register. United States of America V Michael Sheuer - Plea Agreement - US District Court PDF.The Tall Guy - IMDB.At 99, David Attenborough shares strongest message for the ocean - Oceanographic magazine.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)Sponsored by:Dashlane - Protect against the #1 cause of data breaches - poor password habits. Save 25% off a new business plan, or 35% off a personal Premium plan! Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Material - Email security that covers the full threat landscape – stopping new flavors of phishing and pretexting attacks in their tracks, while also protecting accounts and data from exploit or exposure.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!FOLLOW US:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks. Privacy & Opt-Out: https://redcircle.com/privacy