Smashing Security

On this week's show we learn that AI really can be a stalker’s best friend, as we explore a strange tale that starts with a manatee-shaped mailbox on a millionaire's lawn and ends with Grok happily doxxing real people, mapping out stalking "strategies," and handing out revenge-porn tips.Then we go inside the Louvre heist, where thieves in hi-vis and a hire van waltzed off with the French crown jewels in broad daylight, exploiting our assumptions about what "looks normal" - the same kind of bias we’re now baking into security AIs.Plus, Graham chats with Rob Edmondson from CoreView about why misconfigurations and over-privileged accounts can make Microsoft 365 dangerously vulnerable.All this, and more, in episode 447 of the "Smashing Security" podcast with Graham Cluley, and special guest Jenny Radcliffe.EPISODE LINKS:Khashoggi widow files complaint in France alleging Saudi government infected devices with spyware - The Record.US Posts $10 Million Bounty for Iranian Hackers - Security Week.Infostealer has entered the chat - Kaspersky.Dave Portnoy posts a photo of his lawn (including a manatee-shaped mailbox) - Twitter.Elon Musk’s Grok AI Is Doxxing Home Addresses of Everyday People - Futurism.Elon Musk’s Grok Is Providing Extremely Detailed and Creepy Instructions for Stalking - Futurism.How the Louvre thieves exploited human psychology to avoid suspicion – and what it reveals about AI - The Conversation.Outrageous (TV series) - Wikipedia.Outrageous trailer - YouTube.Man charged with theft after allegedly swallowing Fabergé pendant in jewellery store - The Guardian.Free Microsoft 365 Tenant Security Scanner - CoreView.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Horizon3.ai - Get an autonomous pentest demo and see your network the way attackers do. Visit Horizon3.ai.CoreView - Benchmark your Microsoft 365 tenant security against the Center for Internet Security (CIS) controls. SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

A teenage cybercriminal posts a smug screenshot to mock a sextortion scammer... and accidentally hands over the keys to his real-world identity. Meanwhile, we look into the crystal ball for 2026 and consider how stolen data is now the jet fuel of cybercrime – and how next year could be even nastier than 2025.Plus, Graham rants about recipe sites that won’t shut up, and there's even more love for Lily Allen's album "West End Girl" album.All this and more is discussed in episode 446 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and special guest Rik Ferguson.EPISODE LINKS:Europol nukes Cryptomixer laundering hub, seizing €25M in Bitcoin - The Register.4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign - Koi.Uncovering a Calendly-themed phishing campaign targeting business ad manager accounts - Push Security.Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’ - Krebs on Security.Jonathan Ross email goof highlights Twitter security issue - Graham Cluley.VIDEO: Mark Zuckerberg’s password choices are dadada-dumb! - Graham Cluley.Password to Louvre’s video surveillance system was 'Louvre', according to employee - ABC News.Just the Recipe.West End Girl - Wikipedia.West End Girl - Spotify.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:1Password - Take the first step to better security by securing your team’s credentials.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Drata - The world’s most advanced Trust Management platform – making risk and compliance management accessible, continuous, and 10x more automated than ever before.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

America's airwaves are haunted by zombies again, as we dig into a decade of broadcasters leaving their hardware open to attack, giving hackers the chance to hijack TV shows, blast out fake emergency alerts, and even replace religious sermons with explicit furry podcasts.Meanwhile, we look at how a worker at a cybersecurity firm allegedly leaked internal information to a hacking gang - raising big questions about insider threats.Plus: Frankenstein on Netflix, Vine nostalgia, and why Barney the Dinosaur may be the true criminal mastermind behind it all.All this and more is discussed in episode 445 of the “Smashing Security” podcast with cybersecurity veteran Graham Cluley, and special guest Dan Raywood.EPISODE LINKS:Fake adult websites pop realistic Windows Update screen to deliver stealers via ClickFix - Acronis.Tokyo Court Finds Cloudflare Liable For Manga Piracy in Long-Running Lawsuit - TorrentFreak.Former Google chief accused of spying on employees through account ‘backdoor’ - LA Times.Bogus zombie apocalypse warnings undermine US emergency alert system - Ars Technica.2013 EAS Zombie Hoax - Emergency Alert System Wiki.The 1987 Max Headroom incident - YouTube.Nation-wide radio station hack airs hours of vulgar “furry sex” ramblings - Ars Technica.ESPN 97.5 Houston Victim Of Barix Hack - Radio Insight.ESPN Houston apologises to viewers - Facebook.CrowdStrike fires ‘suspicious insider’ who passed information to hackers - TechCrunch.Frankenstein official trailer - YouTube.Frankenstein - Netflix.Vine: Six Seconds that changed the world - Global Player.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Action1 - Keep your systems safe (and your sanity intact) with the patch management platform that just works. The best part? Your first 200 endpoints are free, forever, with no functional limits.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Horizon3.ai - Get an autonomous pentest demo and see your network the way attackers do. Visit Horizon3.ai.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

Stop the press - a company has actually said "sorry" after a data breach, and hotels are helping hackers phish their own guests.In episode 444 of "Smashing Security" we examine a refreshingly honest breach response (and why legacy systems are still going to ruin your week), dig into a nasty hotel-booking malware campaign that abuses trust in apps and CAPTCHAs, and chat about autonomous pen testing, AI-turbocharged cybercrime, and what CISOs should really be asking on Monday morning.And lost Doctor Who is brought back to life by one very dedicated animator, and we take a look at Eddie Murphy’s career.All this and more is discussed in episode 444 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and special guest Tricia Howard.Plus - don't miss our featured interview with Snehal Antani from Horizon3.ai!EPISODE LINKS:A Simple WhatsApp Security Flaw Exposed 3.5 Billion Phone Numbers - Wired.British hacker must repay £4m after hijacking celebrity Twitter accounts - BBC News.Cloudflare experiences a massive outage - LifeHacker.Protecting our Merchants: Standing up to Extortion - Checkout.A miracle: A company says sorry after a cyber attack - and donates the ransom to cybersecurity research - Hot for Security.Large-Scale ClickFix Phishing Attacks Target Hotel Systems with PureRAT Malware - The Hacker News.Unmasking a Sophisticated Phishing Campaign That Targets Hotel Guests - Akamai.Doctor Who Animation: Daleks' Master Plan - The Nightmare Begins. Part 1 - YouTube.Doctor Who Animation: Daleks' Master Plan - The Nightmare Begins. Part 2 - YouTube.Being Eddie - Netflix.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Horizon3.ai - Get an autonomous pentest demo and see your network the way attackers do. Visit Horizon3.ai.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

Tinder has got a plan to rummage through your camera roll, and Warren Buffett keeps popping up in convincing deepfakes dishing "number one investment tips."Meanwhile, will agentic AI replace your co-hosts before you can say "EDR for robots"? and why you should still read books.All this, plus Lily Allen's new album and Claude Code come up for discussion in episode 443 of the "Smashing Security" podcast, with special guest Ron Eddings.EPISODE LINKS:‘Landfall’ spyware abused zero-day to hack Samsung Galaxy phones - TechCrunch.Cyber insurers paid out over twice as much for UK ransomware attacks last year - The Register.Lost iPhone? Don’t fall for phishing texts saying it was found - Bleeping Computer.Tinder to use AI to get to know users, tap into their Camera Roll photos - TechCrunch.Facebook’s AI can now suggest edits to the photos still on your phone - TechCrunch.Berkshire warns of AI deepfakes impersonating Warren Buffett - Reuters.West End Girl - Wikipedia.West End Girl - Spotify.Claude Code.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Action1 - Keep your systems safe (and your sanity intact) with the patch management platform that just works. The best part? Your first 200 endpoints are free, forever, with no functional limits.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Trelica by 1Password - Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps - whether managed or unmanaged.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

Time itself comes under attack as a state-backed hacking gang spends two years tunnelling toward a nation’s master clock — with chaos potentially only a tick away.Plus when ransomware negotiators turn to the dark side, what could possibly go wrong?All this and more is discussed in episode 442 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and special guest Dave Bittner.EPISODE LINKS:Alleged Meduza Stealer malware admins arrested after hacking Russian org - Bleeping Computer.Tap-and-Steal: The Rise of NFC Relay Malware on Mobile Devices - Zimperium.Postcode Lottery's lucky dip turns into data slip as players draw each other's info - The Register.Chinese Ministry of State Security MSS WeChat post - WeChat.China blames US for cyber break-in, claims America is world's biggest bit burglar - The Register.Chicago firm that resolves ransomware attacks had rogue workers carrying out their own hacks, FBI says - Chicago Sun Times.MicroMacro: Crime City.Star Wars 3.5 foot animated LED R2-D2 - Home Depot.TrackaLacker.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Material - Email security that covers the full threat landscape – stopping new flavors of phishing and pretexting attacks in their tracks, while also protecting accounts and data from exploit or exposure.Drata - The world’s most advanced Trust Management platform – making risk and compliance management accessible, continuous, and 10x more automated than ever before.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

Basketball stars have allegedly joined forces with the mafia to fleece high-rollers in a poker scam involving hacked shufflers, covert cameras, and an X-ray card table.Meanwhile, researchers have found they could poke around an FIA driver portal to pull up the personal details of Formula 1 megastars.Plus: Graham’s “Pick of the Week” turns CAPTCHA hell into a delightfully deranged browser game that will make you question vegetables, geometry, and your life choices, while Danny takes a trip to ancient Africa...All this and more is discussed in episode 441 of "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and special guest Danny Palmer.EPISODE LINKS:Baohuo, the gray eminence. Android backdoor hijacks Telegram accounts, gaining complete control over them - Dr Web.Cyberattack on Russia’s food safety agency reportedly disrupts product shipments - The Record.Dissecting YouTube's malware distribution network - Check Point.31 Defendants, Including Members and Associates of Organized Crime Families and National Basketball Association Coach Chauncey Billups, Charged in Schemes to Rig Illegal Poker Games - US Department of Justice.How Hacked Card Shufflers Allegedly Enabled a Mob-Fueled Poker Scam That Rocked the NBA - Wired.Every Formula 1 driver on the grid just had their passport and license details leaked - but it could have been so much worse - TechRadar.I’m not a robot - Neal.fun.Can I Beat The CAPTCHA Game? - YouTube.An African History of Africa by Zeinab Badawi - Penguin.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Action1 - Keep your systems safe (and your sanity intact) with the patch management platform that just works. The best part? Your first 200 endpoints are free, forever, with no functional limits.SecAlerts - SecAlerts makes your job easier by matching vulnerabilities to your software, using information as soon as it’s released. Use code SMASHING for 50% off a year subscription.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

A literal insider threat: we head to a Romanian prison where “self-service” web kiosks allowed inmates to run wild. Then we head to the checkout aisle to ask why JavaScript on payment pages went feral, and how new PCI DSS rules are finally muzzling Magecart-style skimmers.Plus: Graham reveals his new-found superpower with Keyboard Maestro, and Scott describes a slick new way to whip up beautiful how-to videos with Screen Studio.All this and more is discussed in episode 440 of "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and special guest Scott Helme.EPISODE LINKS:What caused the AWS outage - and why did it make the internet fall apart? - BBC News.China blames US for cyber break-in, claims America is world's biggest bit burglar - The Register.Nintendo allegedly hacked by Crimson Collective hacking group - screenshot shows leaked folders, production assets, developer files, and backups - Tom’s Hardware.Romanian inmate hacks into prison IT system, modifies sentences for others - Romania Insider.New Version of PCI DSS Designed to Tackle Emerging Payment Threats - Infosecurity Magazine.What is Magecart? How this hacker group steals payment card data - CSO.Keyboard Maestro.Screen Studio.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:ANON - Find, monitor and remove data about yourself online. Manage your digital footprint with ease. Use code SMASHING for a 25% discount.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Trelica by 1Password - Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps - whether managed or unmanaged.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

A critical infrastructure hack hits the headlines - involving default passwords, boasts on Telegram, and a finale that will make a few cyber-crooks wish the ground would swallow them whole. Meanwhile we dig into the bit we don't talk about enough: the human cost of defending companies from hackers - stress, burnout, and how better leadership culture can help make security teams safer and saner.Plus we say a heartfelt "la di dah" to Diane Keaton, and tune in to a freshly re-released slice of pre-Fleetwood Mac history for the music-obsessed amongst us. All this and more is discussed in episode 439 of "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and his special guest Annabel Berry.EPISODE LINKS:Cyber-attacks rise by 50% in past year, UK security agency says - The Guardian.What does the end of free support for Windows 10 mean for its users? - The Guardian.Satellites found exposing unencrypted data, including phone calls and some military comms - TechCrunch.Anatomy of a Hacktivist Attack: Russian-Aligned Group Targets OT/ICS - Forescout.Caught in the act: Ransomware attack sticks to our AI-created honeypot - Forescout.Human Performance in Security Operations: A Survey on Burnout, Wellbeing and Flow State Among Practitioners - NDSS Symposium.State of the Security Profession 23/24 - Chartered Institute of Information Security.Leading Cyber.Mental Health in Cybersecurity Foundation.“Play it Again, Sam” - IMDB.“Play it Again, Sam” clip - YouTube.“Buckingham Nicks” - Spotify.Fleetwood Mac - Silver Springs (Live, 1997) - YouTube.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)If anything we've discussed today has resonated with you, or if you're going through a tough time, please know you are not alone. There is always someone ready to listen, without judgment. Here are a few of the available resources:Shout - text 85258 (24x7)Samaritans - tel 116123 (24x7)Suicide prevention - tel 0800 689 5652 (6pm - 3.30am)SANEline - tel 0300 304 7000 (4.30pm - 10.30pm)SPONSORS:SecAlerts - SecAlerts makes your job easier by matching vulnerabilities to your software, using information as soon as it’s released. Use code SMASHING for 50% off a year subscription.ANON - Find, monitor and remove data about yourself online. Manage your digital footprint with ease. Use code SMASHING for a 25% discount.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

Your computer's mouse might not be as innocent as it looks - and one ransomware crew has a crisis of conscience that nobody saw coming.We talk about how something as ordinary as a web page could turn your mouse into a surprisingly nosey neighbour, and why ransomware gangs need to think carefully about their reputation.Meanwhile, Graham reveals a baked potato hack that might just change your life, and we take an unexpected detour to South America for a bit of literary adventure involving inflatable pigs.All this and more is discussed in episode 438 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and his special guest Geoff White.EPISODE LINKS:Discord users' data stolen by hackers in third-party data breach - Bitdefender.North Korean hackers increasingly targeting wealthy crypto holders - BBC News.Scattered Lapsus$ Hunters offering $10 in Bitcoin to 'endlessly harass' execs - The Register.Vacanti mouse - Wikipedia.Mic-E-Mouse.Invisible Ears at Your Fingertips: Acoustic Eavesdropping via Mouse Sensors - Arvix.Mic-E-Mouse Pipeline Demonstration - YouTube.Hackers say they have deleted children's pictures and data after nursery attack backlash - BBC News.Baked Potato - Wikipedia.“At the Tomb of the Inflatable Pig: Travels through Paraguay” - Penguin.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Vanta - Expand the scope of your security program with market-leading compliance automation... while saving time and money. Smashing Security listeners get $1000 off.Trelica by 1Password - Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps - whether managed or unmanaged.Drata - The world’s most advanced Trust Management platform – making risk and compliance management accessible, continuous, and 10x more automated than ever before.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

Researchers uncovered a security flaw in Salesforce’s shiny new Agentforce. The vulnerability, dubbed "ForcedLeak", let them smuggle AI-read instructions in via humble Web-to-Lead form... and ended up spilling data for the low, low price of five dollars.And we discuss why data breach communications still default to "we take security seriously" while quietly implying "assume no breach" - until the inevitable walk-back.Plus, we take a look at ITV's phone-hacking drama with David Tennant, and take a crack at decoding the history of the Rosetta Stone.Hear all this and more in episode 437 of the "Smashing Security" podcast by cybersecurity veteran Graham Cluley, joined this week by special guest Paul Ducklin.EPISODE LINKS:Harrods suffers new data breach exposing 430,000 customer records - Bleeping Computer.Caméras dissimulées : la CNIL sanctionne la Samaritaine - CNIL.‘Total internet blackout’ in Afghanistan sparks panic after Taliban vowed to stamp out immoral activities - CNN.ForcedLeak: AI Agent risks exposed in Salesforce AgentForce - Noma.The Hack - itvX.The Hack - YouTube.The Rosetta Stone: The Story of the Decoding of Hieroglyphics - Amazon.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:SecAlerts - SecAlerts makes your job easier by matching vulnerabilities to your software, using information as soon as it’s released. Use code SMASHING for 50% off a year subscription.ANON - Find, monitor and remove data about yourself online. Manage your digital footprint with ease. Use code SMASHING for a 25% discount.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

Ransomware doesn’t just freeze computers - it can silence alarms too. And when the Natural History Museum in Paris went dark, thieves helped themselves to €600,000 worth of gold in a daring late-night heist. Meanwhile, developers have a new headache: a worm dubbed “Shai Hulud” has wriggled its way through more than 180 npm packages, quietly stealing secrets.But it’s not all doom and gloom - unless you count your kitchen appliances turning into ad billboards.All this and more is discussed in episode 436 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and his special guest Zoë Rose.EPISODE LINKS:EU cyber agency says airport software held to ransom by criminals - BBC News.Teenagers charged over cyber attack on TfL costing millions of pounds - Sky News.Teen arrested on suspicion of Vegas Strip attack that cost $100M - SF Gate.Paris: cyber-attack hits Natural History Museum, cancels exhibition - Sortira Paris.Cybersécurité : le Grand Palais et plusieurs musées dont le Louvre victimes d’une attaque par rançongiciel - Le Parisien."Des pièces de collection nationale": le directeur du Muséum d'histoire naturelle de Paris indique que les pépites d'or volées ont "une valeur inestimable" - BFMTV.Shai-Hulud Supply Chain Attack: Worm Used to Steal Secrets, 180+ NPM Packages Hit - Security Week.Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware - Wiz.180+ NPM Packages Hit in Major Supply Chain Attack - Ox.Samsung confirms ads will now be shown on its $1,800+ fridges - UniLad.Bosch Cordless Multifunction Tool - Bosch.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORED BY:Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Trelica by 1Password - Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps - whether managed or unmanaged.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

When "bad actors" stop being hackers and start being... actual actors.This week, Graham and special guest Jenny Radcliffe play “Hacker or Ham?” (yes, Steven Seagal, we’re looking at you), before diving into a campaign which saw an Iranian gang luring Israeli performers with fake casting calls for a serious film. We unpack why positive lures can short-circuit scepticism just as effectively as fear.Plus, the UK's ICO says students are increasingly hacking their own schools.Meanwhile, Graham heads to 1960s Oxford with Endeavour, while Jenny investigates the Wirral’s mysterious "Catman".All this, and more, in episode 435 of the "Smashing Security" podcast.EPISODE LINKS:Shai-Hulud Worm Compromises npm Ecosystem in Supply Chain Attack - Unit 42.Jaguar Land Rover extends production shutdown after cyber-attack - The Guardian.AI-Driven Deepfake Military ID Fraud Campaign by Kimsuky APT - Genians.Israel says suspected Iranian hackers targeted actors in phishing attack - Iran International.Iranian Educated Manticore Targets Leading Tech Academics - Check Point.Children hacking their own schools for 'fun', watchdog warns - BBC News.Endeavour - ITVx.Crowds armed with torches hunt the “cat man” every night - Liverpool Echo.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Vanta - Expand the scope of your security program with market-leading compliance automation... while saving time and money. Smashing Security listeners get $1000 off!Adaptive Security - request a custom demo featuring a real CEO deepfake simulation today from adaptivesecurity.com.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

Ever wondered what would happen if Burger King left the keys to the kingdom lying around for anyone to use? Ethical hackers did - and uncovered drive-thru recordings, hard-coded passwords, and even the power to open a Whopper outlet on the moon.Meanwhile, over in Silicon Valley, one AI wunderkind managed to turn a $7 million payday into a career-ending lawsuit by allegedly walking trade secrets straight out the door as he jumped ship for a rival.All this and much more is discussed in episode 434 of the award-winning “Smashing Security” podcast with computer security veteran Graham Cluley, joined this week by special guest Lianne Potter. Hear them they chew over catastrophic fast-food security, insider threats with extra fries, and why even the biggest brains in AI can't stop themselves from doing something utterly stupid.EPISODE LINKS:We Hacked Burger King: How Authentication Bypass Led to Drive-Thru Audio Surveillance - Internet archive wayback machine.DMCA notice - Bobdahacker.xAI sues former engineer, alleging he stole trade secrets after being paid $7M - San Francisco Standard.xAI vs Xuechen Li - Court documents.Classic Reload.Digger - Classic Reload.Kingdom of Kroz - Classic Reload.The Bad Movie Bible - YouTube.Shark Attack 3: Megalodon - YouTube.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORED BY:Drata - The world’s most advanced Trust Management platform – making risk and compliance management accessible, continuous, and 10x more automated than ever before.Trelica by 1Password - Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps - whether managed or unmanaged.Vanta - Expand the scope of your security program with market-leading compliance automation... while saving time and money. Smashing Security listeners get $1000 off!SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

Your AI reads the small print, and that's a problem. This week in episode 433 of "Smashing Security" we dig into LegalPwn - malicious instructions tucked into code comments and disclaimers that sweet-talks AI into rubber-stamping dangerous payloads (or even pretending they’re a harmless calculator).Meanwhile, new research from Anthropic reveals that hackers have already used AI agents to break into networks, steal passwords, sift through stolen data, and even write custom ransom notes. In other words, one hacker with an AI helper can work like an entire team of cybercriminals.Plus: a joyous geek detour into keyboard history, and the most diabolically annoying, fully functional AI-generated CAPTCHA that you will love to inflict on your friends.EPISODE LINKS:LegalPwn: Abusing Legal Disclaimers to Trigger Prompt Injections - Pangea Labs.LegalPwn: Tricking LLMs by burying badness in lawyerly fine print - The Register.LegalPwn Attack Tricks GenAI Tools Into Misclassifying Malware as Safe Code - HackRead.One long sentence is all it takes to make LLMs misbehave - The Register.Londoners give up eldest children in public Wi-Fi security horror show - The Guardian.Targeted social engineering is en vogue as ransom payment sizes increase - Coveware.State of Malware 2025 - ThreatDown.Cybercrime in the Age of AI - ThreatDown.Threat Intelligence Report: August 2025 - Anthropic.The Day Return Became Enter - Marcin Wichary.Ethan Mollick’s terrible AI-generated CAPTCHAs - Twitter.The very worst AI-generated CAPTCHA? - Claude.ai.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORED BY:Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

We unpack how some password managers can be tricked into coughing up your secrets, with a clickjacking sleight-of-hand, what website owners can do to prevent it, and how to lock down your personal password vault.Then we time-hop to the post-quantum scramble: "harvest-now, decrypt later", Microsoft's 2033 quantum-safe pledge, and whether your printer will survive the update apocalypse.All this, plus a gloriously dodgy URL “shadyfier,” and turning the iconic iMac G4 into a modern media hub.All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veteran Graham Cluley, joined this week by special guest Thom Langford.EPISODE LINKS:DOM-based Extension Clickjacking: Your Password Manager Data at Risk - Marek Tóth.Major password managers can leak logins in clickjacking attacks - Bleeping Computer.Microsoft to Make All Products Quantum Safe by 2033 - Infosecurity Magazine.Shady URL.DockLite G4 - Juicy Crumb.I perfected the iMac G4 - YouTube.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

In episode 431 of the "Smashing Security" podcast, a self-proclaimed crypto-influencer calling himself CP3O thought he had found a shortcut to riches — by racking up millions in unpaid cloud bills.Meanwhile, we look at the growing threat of EDR-killer tools that can quietly switch off your endpoint protection before an attack even begins.And for something a little different, we peek into the Internet Archive’s dystopian Wayforward Machine and take a detour to Mary Shelley’s resting place in Bournemouth.All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley, joined this week by special guest Allan "Ransomware Sommelier" Liska.Episode links:Crypto Influencer Sentenced to Prison for Multi-Million Dollar “Cryptojacking” Scheme - US Department of Justice.Ransomware crews don't care about your endpoint security – they've already killed it - The Register.Way Forward Machine - The Internet Archive.Mary Shelley’s grave - Atlas Obscura.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)Sponsored by:Proton Drive - Protect your files with end-to-end encryption in Switzerland’s secure cloud — only on Proton Drive.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW US:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix". Privacy & Opt-Out: https://redcircle.com/privacy

A poisoned Google Calendar invite that can hijack your smart home, a man is hospitalised after ChatGPT told him to season his food with… pesticide, and some thoughts on Superman’s latest cinematic outing.All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley, joined this week by special guest Dave Bittner from The Cyberwire.Warning: This podcast may contain nuts, adult themes, and rude language.Episode links:Invitation Is All You Need: Invoking Gemini for Workspace Agents with a Simple Google Calendar Invite - SafeBreach.Invitation attack curses - YouTube.Invitation attack opens shutters - YouTube.Guy Gives Himself 19th Century Psychiatric Illness After Consulting With ChatGPT - 404 Media.Superman (2025) trailer - YouTube.Billy Joel: And so it goes - HBO Max.Billy Joel: And so it goes trailer - YouTube.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)Sponsored by:Proton - Break free from Gmail. You should be able to choose what happens to your data. With Proton, only you can read your emails.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!FOLLOW US:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix". Privacy & Opt-Out: https://redcircle.com/privacy

Those of you who tuned in to last week's episode (#428) will have heard the big news from my podcast pal Carole that she's decided to move on from her co-hosting duties on the show.There have been some lovely messages of support sent through for Carole, and indeed for me too. Thank you very much to all of you - it's really heatywarming to hear how much the last 428 episodes have meant to you all, and how much you want the show to go on.And so - as I said last week - it will carry on. Next week there will be a regular edition of "Smashing Security" with a special guest well known to all of you, and I plan to carry on as normal every week with guests after that...This week though I felt like I needed to catch my breath, and take a break. But I didn't want to leave you without something to listen to...So, here is a special edition of "Smashing Security" with a couple of clips from recent episodes of its sister show "The AI Fix", which I co-host with Mark Stockley.If you enjoy "The AI Fix," please do follow it in your favourite podcast apps and tell your friends!Until next week, cheerio bye bye.Episode links:The AI Fix.The AI Fix on Apple Podcasts.The AI Fix on Spotify.The AI Fix on Pocketcasts.The AI Fix on Overcast.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!FOLLOW US:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix". Privacy & Opt-Out: https://redcircle.com/privacy

The viral women-only dating safety app Tea, built to flag red flags, gets flagged itself - after leaking over 70,000 private images and chat logs. We are talking full-on selfies, ID docs, private DMs, and a dash of 4chan creepiness. Yikes.Plus, Carole takes us down memory lane as she hangs up her co-host mic after 428 glorious episodes. Expect tea, tears, and Tom Lehrer.All this is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.Warning: This podcast may contain nuts, adult themes, and rude language.Episode links:Update regarding cybersecurity incident - Tea.Hackers steal images from women's dating safety app that vets men - BBC News.A Second Tea Breach Reveals Users’ DMs About Abortions and Cheating - 404 Media.American musical satirist Tom Lehrer dies at 97 - BBC News.Tom Lehrer website.Tom Lehrer sings The Elements, live in Copenhagen, 1967 - YouTube.Tom Lehrer sings “New Math” (animated) - YouTube.Carole’s Substack.Libby - Library app.Shokz UK.Two Birds Yoga - YouTube.Thermapen.BBC Sounds.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)Sponsored by:Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Trelica by 1Password - Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps - whether managed or unmanaged.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!FOLLOW US:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks. Privacy & Opt-Out: https://redcircle.com/privacy