Category: Smashing Security
-
Smashing Security podcast #470: This AI security flaw might be impossible to fix
Smashing Security podcast #470: This AI security flaw might be impossible to fix A website called “UK visa portal” has been quietly collecting passport scans, selfies, and personal data from thousands of travellers who thought they were applying through official channels. They weren’t. And when a journalist tried to warn the company, it was lawyers…
-
Smashing Security podcast #469: What your Oura ring won’t tell you
Smashing Security podcast #469: What your Oura ring won’t tell you CISA, the US government agency whose entire job is keeping America’s critical infrastructure safe from hackers, has had a contractor publish dozens of plain-text credentials to a public GitHub profile. Meanwhile, your Oura ring is quietly transmitting some of its data unencrypted – and…
-
Smashing Security podcast #468: High-speed train hacks and homicidal lawnmowers
Smashing Security podcast #468: High-speed train hacks and homicidal lawnmowers A 23-year-old radio enthusiast spent £300 on a piece of kit from the internet, and used it to bring four packed high-speed trains to a screeching halt. His defence in court? Possibly the most creative excuse we’ve heard all year. Meanwhile, owners of $4,000 robot…
-
Smashing Security podcast #467: How ShinyHunters hacked the world’s biggest universities
Smashing Security podcast #467: How ShinyHunters hacked the world’s biggest universities Welcome to the largest educational data breach in history – affecting nearly 9,000 institutions, every Ivy League university, and 30 million students mid-finals. When Canvas’s parent company refused to pay and announced they had deployed “security patches” instead, the hackers were less than impressed.…
-
Smashing Security podcast #464: Rockstar got hacked. The data was junk. The secrets it revealed were not
Smashing Security podcast #464: Rockstar got hacked. The data was junk. The secrets it revealed were not A company that ran anonymous tip lines for 35,000 American schools – handling reports of bullying, weapons, and self-harm – boasted on its website that it had suffered zero security breaches in over 20 years. A hacker called…
-
Smashing Security podcast #463: This AI company leaked its own code. It’s also built something terrifying
Smashing Security podcast #463: This AI company leaked its own code. It’s also built something terrifying A hacking group claims to have broken into the flood defence system protecting Venice’s Piazza San Marco – and is offering to sell access to whoever wants it. The asking price? A frankly insulting $600. Meanwhile, Anthropic accidentally leaked…
-
Smashing Security podcast #462: LinkedIn is spying on you, and you agreed to nothing
Smashing Security podcast #462: LinkedIn is spying on you, and you agreed to nothing LinkedIn has been secretly scanning your browser for over 6,000 installed extensions — on every single click you make. It can tell if you’re job hunting, what religion you are, and whether you have ADHD. And none of this is mentioned…
-
Smashing Security podcast #461: This man hid $400 million in a fishing rod. Then it vanished
Smashing Security podcast #461: This man hid $400 million in a fishing rod. Then it vanished A cannabis-growing, beekeeping, gyrocopter-flying Irishman invested his drug money in Bitcoin back in 2011 – and now sits on a fortune worth $400 million. There’s just one small problem: the access codes were tucked inside his fishing rod case,…
-
Smashing Security podcast #460: Never knock on the door of a nuclear submarine base and ask for a selfie
Smashing Security podcast #460: Never knock on the door of a nuclear submarine base and ask for a selfie A disgruntled data analyst decides that the best response to losing his contract is to steal the entire company payroll database and demand $2.5 million in Bitcoin – signing his extortion emails from a company called…
-
Smashing Security podcast #459: This clever scam nearly hijacked a tech CEO’s Apple ID
Smashing Security podcast #459: This clever scam nearly hijacked a tech CEO’s Apple ID In episode 459 of Smashing Security, we dive into a chillingly clever account takeover attempt targeting WordPress co-founder Matt Mullenweg – involving MFA fatigue, real Apple alerts, a convincing support call, and a phishing page that oh-so-nearly worked. If a famous…
-
Smashing Security podcast #458: How not to steal $46 million from the US government
Smashing Security podcast #458: How not to steal $46 million from the US government A Wikipedia security engineer accidentally wakes a dormant JavaScript worm that hadn’t stirred since 2024 – and within minutes, giant woodpecker images are plastered across the internet’s favourite encyclopaedia. Meanwhile, a crypto contractor hired to help the US Marshals manage seized…
-
Smashing Security podcast #457: How a cybersecurity boss framed his own employee
Smashing Security podcast #457: How a cybersecurity boss framed his own employee When a top cybersecurity firm discovered it had a leak, you would expect the FBI to be called. Instead, the person put in charge of the investigation was the actual leaker… who promptly sent an innocent colleague into a career-ending ambush. In this…
-
Smashing Security podcast #456: How to lose friends and DDoS people
Smashing Security podcast #456: How to lose friends and DDoS people When the mysterious operator of an internet archiving-service decided to silence a curious Finnish blogger, they didn’t just send a stroppy email – they allegedly weaponised their own CAPTCHA page to launch a DDoS attack, threatened to invent an entirely new genre of AI…
-
Smashing Security podcast #454: AI was not plotting humanity’s demise. Humans were
Smashing Security podcast #454: AI was not plotting humanity’s demise. Humans were AI bots are having existential crises, inventing religions, and allegedly plotting against humanity… or so the internet would have you believe. We dig into Moltbook, the “AI-only” social network that sent Twitter into a meltdown, attracted breathless talk of the singularity, and turned…
-
Smashing Security podcast #453: The Epstein Files didn’t hide this hacker very well
Smashing Security podcast #453: The Epstein Files didn’t hide this hacker very well Supposedly redacted Jeffrey Epstein files can still reveal exactly who they’re talking about – especially when AI, LinkedIn, and a few biographical breadcrumbs do the heavy lifting. Sloppy redaction leads to explosive claims, and difficult reputational consequences for cybersecurity vendors, and we…
-
Smashing Security podcast #452: The dark web’s worst assassins, and Pegasus in the dock
Smashing Security podcast #452: The dark web’s worst assassins, and Pegasus in the dock In episode 452, a London-based YouTuber wins a landmark court case against Saudi Arabia after his phone was hacked with Pegasus spyware — exposing how a single, seemingly harmless text message can turn a smartphone into a round-the-clock surveillance device. Plus,…
-
Smashing Security podcast #451: I hacked the government, and your headphones are next
Smashing Security podcast #451: I hacked the government, and your headphones are next In episode 451 of “Smashing Security,” we meet the cybercriminal who hacked the US Supreme Court, Veterans Affairs, and more – and then helpfully posted screenshots (and even someone’s blood type) on an account called “I hacked the government.” Plus we discuss…
-
Smashing Security podcast #450: From Instagram panic to Grok gone wild
Smashing Security podcast #450: From Instagram panic to Grok gone wild Confusion reigns after claims that data linked to 17.5 million Instagram accounts is up for sale – sparked by a vague post, contradictory statements, and a flood of password reset emails nobody asked for. And we dig into Grok, Elon Musk’s AI chatbot, after…
-
Smashing Security podcast #449: How to scam someone in seven days
Smashing Security podcast #449: How to scam someone in seven days Romance scammers have apparently discovered astrology… and Taurus is their secret weapon. In episode 449 of “Smashing Security”, we take a look inside an actual romance-fraud handbook – complete with scripts, personality “types”, corporate jargon, and a seven-day plan to get victims from hello…
-
Smashing Security podcast #448: The Kindle that got pwned
Smashing Security podcast #448: The Kindle that got pwned Think your Kindle is harmless? Think again! In this episode, we unpack a Black Hat Europe talk revealing how a boobytrapped audiobook could exploit the Amazon eBook reader – potentially letting an attacker break into your account and seize control of your credit card. Plus a…
-
Smashing Security podcast #445: The hack that brought back the zombie apocalypse
Smashing Security podcast #445: The hack that brought back the zombie apocalypse America’s airwaves are haunted by zombies again, as we dig into a decade of broadcasters leaving their hardware open to attack, giving hackers the chance to hijack TV shows, blast out fake emergency alerts, and even replace religious sermons with explicit furry podcasts.…
-
Smashing Security podcast #444: We’re sorry. Wait, did a company actually say that?
Smashing Security podcast #444: We’re sorry. Wait, did a company actually say that? Stop the press – a company has actually said “sorry” after a data breach, and hotels are helping hackers phish their own guests. We examine a refreshingly honest breach response (and why legacy systems are still going to ruin your week), dig…
-
Smashing Security podcast #443: Tinder’s camera roll and the Buffett deepfake
Smashing Security podcast #443: Tinder’s camera roll and the Buffett deepfake Tinder has got a plan to rummage through your camera roll, and Warren Buffett keeps popping up in convincing deepfakes dishing “number one investment tips.” Meanwhile, will agentic AI replace your co-hosts before you can say “EDR for robots”? and why you should still…
-
Smashing Security podcast #442: The hack that messed with time, and rogue ransom where negotiators
Smashing Security podcast #442: The hack that messed with time, and rogue ransom where negotiators Time itself comes under attack as a state-backed hacking gang spends two years tunnelling toward a nation’s master clock — with chaos potentially only a tick away. Plus when ransomware negotiators turn to the dark side, what could possibly go…
-
Smashing Security podcast #441: Inside the mob’s million-dollar poker hack, and a Formula 1 fumble
Smashing Security podcast #441: Inside the mob’s million-dollar poker hack, and a Formula 1 fumble Basketball stars have allegedly joined forces with the mafia to fleece high-rollers in a poker scam involving hacked shufflers, covert cameras, and an X-ray card table. Meanwhile, researchers have found they could poke around an FIA driver portal to pull…
-
Smashing Security podcast #440: How to hack a prison, and the hidden threat of online checkouts
Smashing Security podcast #440: How to hack a prison, and the hidden threat of online checkouts A literal insider threat: we head to a Romanian prison where “self-service” web kiosks allowed inmates to run wild. Then we head to the checkout aisle to ask why JavaScript on payment pages went feral, and how new PCI…
-
Smashing Security podcast #439: A breach, a burnout, and a bit of Fleetwood Mac
Smashing Security podcast #439: A breach, a burnout, and a bit of Fleetwood Mac A critical infrastructure hack hits the headlines – involving default passwords, boasts on Telegram, and a finale that will make a few cyber-crooks wish the ground would swallow them whole. Meanwhile we dig into the bit we don’t talk about enough:…
-
Smashing Security podcast #438: When your mouse turns snitch, and hackers grow a conscience
Smashing Security podcast #438: When your mouse turns snitch, and hackers grow a conscience Your computer’s mouse might not be as innocent as it looks – and one ransomware crew has a crisis of conscience that nobody saw coming. We talk about how something as ordinary as a web page could turn your mouse into…
-
Smashing Security podcast #437: Salesforce’s trusted domain of doom
Smashing Security podcast #437: Salesforce’s trusted domain of doom Researchers uncovered a security flaw in Salesforce’s shiny new Agentforce. The vulnerability, dubbed “ForcedLeak”, let them smuggle AI-read instructions in via humble Web-to-Lead form… and ended up spilling data for the low, low price of five dollars. And we discuss why data breach communicationss still default…
-
Smashing Security podcast #436: The €600,000 gold heist, powered by ransomware
Smashing Security podcast #436: The €600,000 gold heist, powered by ransomware Ransomware doesn’t just freeze computers – it can silence alarms too. And when the Natural History Museum in Paris went dark, thieves helped themselves to €600,000 worth of gold in a daring late-night heist. Meanwhile, developers have a new headache: a worm dubbed “Shai…
-
Smashing Security podcast #435: Lights! Camera! Hacktion!
Smashing Security podcast #435: Lights! Camera! Hacktion! When “bad actors” stop being hackers and start being… actual actors. This week, Graham and special guest Jenny Radcliffe play “Hacker or Ham?” (yes, Steven Seagal, we’re looking at you), before diving into a campaign which saw an Iranian gang luring Israeli performers with fake casting calls for…
-
Smashing Security podcast #434: Whopper Hackers, and AI Whoppers
Smashing Security podcast #434: Whopper Hackers, and AI Whoppers Ever wondered what would happen if Burger King left the keys to the kingdom lying around for anyone to use? Ethical hackers did – and uncovered drive-thru recordings, hard-coded passwords, and even the power to open a Whopper outlet on the moon. Meanwhile, over in Silicon…
-
Smashing Security podcast #433: How hackers turned AI into their new henchman
Smashing Security podcast #433: How hackers turned AI into their new henchman Your AI reads the small print, and that’s a problem. This week in episode 433 of “Smashing Security” we dig into LegalPwn – malicious instructions tucked into code comments and disclaimers that sweet-talks AI into rubber-stamping dangerous payloads (or even pretending they’re a…
-
Smashing Security podcast #432: Oops! I auto-filled my password into a cookie banner
Smashing Security podcast #432: Oops! I auto-filled my password into a cookie banner We unpack how some password managers can be tricked into coughing up your secrets, with a clickjacking sleight-of-hand, what website owners can do to prevent it, and how to lock down your personal password vault. Then we time-hope to the post-quantum scramble:…
-
Smashing Security podcast #431: How to mine millions without paying the bill
Smashing Security podcast #431: How to mine millions without paying the bill In episode 431 of the “Smashing Security” podcast, a self-proclaimed crypto-influencer calling himself CP3O thought he had found a shortcut to riches — by racking up millions in unpaid cloud bills. Meanwhile, we look at the growing threat of EDR-killer tools that can…
-
Smashing Security podcast #430: Poisoned Calendar invites, ChatGPT, and Bromide
Smashing Security podcast #430: Poisoned Calendar invites, ChatGPT, and Bromide A poisoned Google Calendar invite that can hijack your smart home, a man is hospitalised after ChatGPT told him to season his food with… pesticide, and some thoughts on Superman’s latest cinematic outing. All this and more is discussed in the latest edition of the…
-
Smashing Security podcast #428: Red flags, leaked chats, and a final farewell
Smashing Security podcast #428: Red flags, leaked chats, and a final farewell The viral women-only dating safety app Tea, built to flag red flags, gets flagged itself – after leaking over 70,000 private images and chat logs. We are talking full-on selfies, ID docs, private DMs, and a dash of 4chan creepiness. Yikes. Plus, Carole…
-
Smashing Security podcast #427: When 2G attacks, and a romantic road trip goes wrong
Smashing Security podcast #427: When 2G attacks, and a romantic road trip goes wrong Graham warns why it is high time we said goodbye to 2G – the outdated mobile network being exploited by cybercriminals with suitcase-sized SMS blasters. From New Zealand to London, scammers are driving around cities like dodgy Uber drivers, spewing phishing…
-
Smashing Security podcast #426: Choo Choo Choose to ignore the vulnerability
Smashing Security podcast #426: Choo Choo Choose to ignore the vulnerability In episode 426 of the “Smashing Security” podcast, Graham reveals how you can hijack a train’s brakes from 150 miles away using kit cheaper than a second-hand PlayStation. Meanwhile, Carole investigates how Grok went berserk, which didn’t stop the Department of Defense signing a…
-
Smashing Security podcast #425: Call of Duty: From pew-pew to pwned
Smashing Security podcast #425: Call of Duty: From pew-pew to pwned In episode 425 of “Smashing Security”, Graham reveals how “Call of Duty: WWII” has been weaponised – allowing hackers to hijack your entire PC during online matches, thanks to ancient code and Microsoft’s Game Pass. Meanwhile, Carole digs into a con targeting the recently…
-
Smashing Security podcast #423: Operation Endgame, deepfakes, and dead slugs
Smashing Security podcast #423: Operation Endgame, deepfakes, and dead slugs In this episode of the “Smashing Security” podcast, Graham unravels Operation Endgame – the surprisingly stylish police crackdown that is seizing botnets, mocking malware authors with anime videos, and taunting cybercriminals via Telegram. And BBC cyber correspondent Joe Tidy joins us to talk about “Ctrl-Alt-Chaos”,…
-
Smashing Security podcast #422: The curious case of the code copier
Smashing Security podcast #422: The curious case of the code copier A GCHQ intern forgets the golden rule of spy school — don’t take the secrets home with you — and finds himself swapping Cheltenham for a cell. Meanwhile, an Australian hacker flies too close to the sun, hacks his way into a US indictment,…
-
Smashing Security podcast #421: Toothpick flirts, Google leaks, and ICE ICE scammers
Smashing Security podcast #421: Toothpick flirts, Google leaks, and ICE ICE scammers What do a sleazy nightclub carpet, Google’s gaping privacy hole, and an international student conned by fake ICE agents have in common? This week’s episode of the “Smashing Security” podcast obviously. Graham explains how a Singaporean bug-hunter cracked Google’s defences and could brute-force…
-
Smashing Security podcast #420: Fake Susies, flawed systems, and fruity fixes for anxiety
Smashing Security podcast #420: Fake Susies, flawed systems, and fruity fixes for anxiety A bizarre case of political impersonation, where Trump’s top aide Susie Wiles is cloned (digitally, not biologically — we think), and high-ranking Republicans start getting invitations to link up with “her” on Telegram to share their Trump pardon wishlists. Was it a…
-
Smashing Security podcast #418: Grid failures, Instagram scams, and Legal Aid leaks
Smashing Security podcast #418: Grid failures, Instagram scams, and Legal Aid leaks In this week’s episode, Graham investigates the mysterious Iberian Peninsula blackout (aliens? toaster? cyberattack?), Carole dives in the UK legal aid hack that exposed deeply personal data of society’s most vulnerable, and Dinah Davis recounts how Instagram scammers hijacked her daughter’s account –…
-
Smashing Security podcast #417: Hello, Pervert! – Sextortion scams and Discord disasters
Smashing Security podcast #417: Hello, Pervert! – Sextortion scams and Discord disasters Don’t get duped, doxxed, or drained! In this episode of “Smashing Security” we dive into the creepy world of sextortion scams, and investigate how crypto wallet firm Ledger’s Discord server was hijacked in an attempt to phish for cryptocurrency recovery phrases. All this…
-
Smashing Security podcast #416: High street hacks, and Disney’s Wingdings woe
Smashing Security podcast #416: High street hacks, and Disney’s Wingdings woe Brits face empty shelves and suspended meal deals as cybercriminals hit major high street retailers, and a terminated Disney employee gets revenge with a little help with Wingdings. Plus Graham challenges Carole to a game of “Malware or metal?”, and we wonder just happens…
-
Smashing Security podcast #415: Hacking hijinks at the hospital, and WASPI scams
Smashing Security podcast #415: Hacking hijinks at the hospital, and WASPI scams He’s not a pop star, but Jeffrey Bowie is alleged to have toured staff areas of a hospital in Oklahoma, hunting for computers he could install spyware on. We dive into the bizarre case of the man accused of hacking medical networks and…
-
Smashing Security podcast #414: Zoom.. just one click and your data goes boom!
Smashing Security podcast #414: Zoom.. just one click and your data goes boom! Graham explores how the Elusive Comet cybercrime gang are using a sneaky trick of stealing your cryptocurrency via an innocent-appearing Zoom call, and Carole goes under the covers to explore the extraordinary lengths bio-hacking millionaire Bryan Johnson is attempting to extend his…
-
Smashing Security podcast #413: Hacking the hackers… with a credit card?
Smashing Security podcast #413: Hacking the hackers… with a credit card? A cybersecurity firm is buying access to underground crime forums to gather intelligence. Does that seem daft to you? And over in Nigeria, even if romance scammers would like to update their LinkedIn profiles, just how easy is it to turn a new leaf…
-
Smashing Security podcast #412: Signalgate sucks, and the quandary of quishing
Smashing Security podcast #412: Signalgate sucks, and the quandary of quishing QR codes are being weaponised by scammers — so maybe think twice before scanning that parking meter. And in a blunder so dumb it makes autocorrect look smart, the White House explains how it leaked war plans on Signal because an iPhone mistook a…
-
Smashing Security podcast #411: The fall of Troy, and whisky barrel scammers
Smashing Security podcast #411: The fall of Troy, and whisky barrel scammers Renowned cybersecurity expert Troy Hunt falls victim to a phishing attack, resulting in the exposure of thousands of subscriber details, and don’t lose your life savings in a whisky scam… All this and more is discussed in the latest edition of the “Smashing…
-
Smashing Security podcast #410: Unleash the AI bot army against the scammers – now!
Smashing Security podcast #410: Unleash the AI bot army against the scammers – now! A YouTuber has unleashed an innovative AI bot army to disrupt and outwit the world of online scammers, and a New York Times investigation looks into the intricate web of global money laundering. All this and more is discussed in the…
-
Smashing Security podcast #409: Peeping perverts and FBI phone calls
Smashing Security podcast #409: Peeping perverts and FBI phone calls In episode 409 of the “Smashing Security” podcast, we uncover the curious case of the Chinese cyber-attack on Littleton’s Electric Light Company, and a California landlord’s hidden camera scandal. Find out about this, and more, in the latest edition of the “Smashing Security” podcast by…
-
Smashing Security podcast #408: A gag order backfires, and a snail mail ransom demand
Smashing Security podcast #408: A gag order backfires, and a snail mail ransom demand What happens when a healthcare giant’s legal threats ignite a Streisand Effect wildfire… while a ransomware gang appears to ditch the dark web for postage stamps? Find out about this, and more, in the latest edition of the “Smashing Security” podcast…
-
Smashing Security podcast #405: A crypto con exchange, and soaring ticket scams
Smashing Security podcast #405: A crypto con exchange, and soaring ticket scams From shadowy Bitcoin exchanges to Interpol’s most wanted, Alexander Vinnik was the alleged kingpin behind BTC-e, a $4bn crypto laundering empire. Learn more about him, and how he became a geopolitical pawn between the US, France, and Russia. Plus! Hear how concert-goers are…
-
Smashing Security podcast #404: Podcast not found
Smashing Security podcast #404: Podcast not found The story of how hackers managed to compromise the US Government’s official SEC Twitter account to boost the price of Bitcoins, AI isn’t helping reduce the rife conspiracy theories inside classrooms, and is the funeral bell tolling for ransomware? All this and more is discussed in the latest…
-
Smashing Security podcast #401: Hacks on the high seas, and how your home can be stolen under your nose
Smashing Security podcast #401: Hacks on the high seas, and how your home can be stolen under your nose An Italian hacker makes the grade and ends up in choppy waters, and hear true stories of title deed transfer scams. All this and more is discussed in the latest edition of the award-winning “Smashing Security”…
-
Smashing Security podcast #399: Honey in hot water, and reset your devices
Smashing Security podcast #399: Honey in hot water, and reset your devices Ever wonder how those “free” browser extensions that promise to save you money actually work? We dive deep into the controversial world of Honey, the coupon-finding tool owned by PayPal, and uncover a scheme that might be leaving you with less savings and…
-
The AI Fix #31: Replay: AI doesn’t exist
The AI Fix #31: Replay: AI doesn’t exist Mark and I took a break for the new year, but we’ll be back for a new episode of “The AI Fix” podcast at the usual time next week. In the meantime, here is another chance to hear one of our favourite episodes again. The very first…
-
Smashing Security podcast #398: Fake CAPTCHAs, Harmageddon, and Krispy Kreme
Smashing Security podcast #398: Fake CAPTCHAs, Harmageddon, and Krispy Kreme This week, we delve into the dark world of fake CAPTCHAs designed to hijack your computer. Plus, the AI safety clock is ticking down – is doomsday closer than we think? And to top it off, we uncover the sticky situation of Krispy Kreme facing…
-
Smashing Security podcast #397: Snowflake hackers, and under the influence
Smashing Security podcast #397: Snowflake hackers, and under the influence A Canadian man is arrested in relation to the Snowflake hacks from earlier this year – after a cybersecurity researcher managed to track his identity, and a cryptocurrency-trading Instagram influencer is in trouble with the law. All this and more is discussed in the latest…
-
Smashing Security podcast #396: Dishy DDoS dramas, and mining our minds for data
Smashing Security podcast #396: Dishy DDoS dramas, and mining our minds for data A CEO is arrested for turning satellite receivers into DDoS attack weapons! Then, we’ll journey into the world of bossware and “affective computing” and explore how AI is learning to read our emotions – is this the future of work, or a…