(get it in RSS or Atom)

Is it *really* such a bad idea to use a password twice?


We regularly warn you against using the same password for multiple accounts.

But if you memorise one really long and complex password, isn't that enough?

No! Here's why...

SSCC 165 - "U2 or not U2," that is the question [PODCAST]


It's Chet Chat time!

Here's this week's episode of our news-you-can-use security podcast...

TimThumb plugin for WordPress - zero-day remote code execution hole disclosed, quickly fixed


WordPress sites with the TimThumb image thumbnailing plugin could be taken over by attackers.

Paul Ducklin looks at what went wrong and explains how to fix the hole...

Skype's Twitter account compromised by Syrian Electronic Army

Microsoft's reading Skype messages

Microsoft's Skype brand had its Twitter, Facebook and WordPress accounts hacked by a someone claiming to be the Syrian Electronic Army. The real question is, where was the two-factor?

SSCC 121 - WordPress, OS X, iCloud, smartphone tracking and medical devices [PODCAST]


By popular demand, the Chet Chat has gone back to a weekly format, so your favourite security podcast will now be appearing twice as frequently!

Listen to Chet and Duck in the latest episode...

WordPress 3.7 with automatic security updating is out now

Wordpress 3.7

Wordpress 3.7 isn't important because it fixes any particularly devilish vulnerabilities but because, for the first time, it will automatically update itself with the latest maintenance and security releases - something that could change the security of the whole Wordpress ecosystem.

SSCC 119 - Happy 10th, Patch Tuesday - Adobe "goes open source" - Dread Pirate Roberts [PODCAST]


A wild ride this week, with Patch Tuesday turning 10, Adobe "going open source" by losing 40GB of code, and Silk Road operator Dread Pirate Roberts getting locked in the brig.

Chet and Duck turn their amusing but insightful attention to the latest security stories...

How to avoid being one of the "73%" of WordPress sites vulnerable to attack

How to avoid being one of the 73% of WordPress sites vulnerable to attack

Researchers have concluded that 73% of the 40,000 most popular websites that use WordPress software are vulnerable to attack. But they admit they might be wrong. Even so, they still highlight an important security issue which isn't diminished one iota by their sketchiness.

Monday review - the hot 24 stories of the week

Monday review

Missed anything last week? Catch up with everything we talked about with our weekly roundup.

WordPress issues security fixes, advises "update your sites immediately"


Mega-popular blogging and content management system WordPress has just put out version 3.6.1.

This includes a patch for a remote code execution hole, so you are advised to update ASAP.

SSCC 116 - Google Authenticator, Apple bugs, Facebook data probes, WordPress phishing [PODCAST]


Here you are! Episode #116 of the Sophos Security Chet Chat.

News, opinion, advice and research: Chet and Duck bring you their unique and entertaining combination of all four in their regular podcast.

Monday review - the hot 17 stories of the week

Monday review

Get yourself up to date with everything we've written in the last seven days - it's weekly roundup time.

Anatomy of a phish - a "generic mass targeted attack" against WordPress admins


Naked Security reader Lisa Goodlin is a website designer and a WordPress user.

She was recently targeted by cybercrooks trying to phish her WordPress credentials, and though the phish ended up being comical rather than threatening, there were some useful lessons to be learned...

Sophos Techknow - Two-factor Authentication [PODCAST]


To some of us, two-factor authentication (2FA) is a welcome aspect of online security; to others, token or SMS-based login codes are just extra online hassle we'd rather do without.

Duck and Chet help you evaluate the risks and rewards of 2FA in this enjoyable quarter-hour podcast.

Monday review - the hot 21 stories of the week

Monday review

In case you missed anything, here's everything we wrote in the past seven days.

WordPress blogs and more under global attack - check your passwords now!

If you have a web service that supports remote users, you will know that malevolent login attempts are an everyday occurrence.

But hosting providers worldwide are reporting an onslaught at well above average levels...

SSCC 106 - US DoD and BYOD, "scanner" malware, 2FA, and browser wars revisited [PODCAST]


For your listening pleasure, here's the latest episode in our popular "Chet Chat" series.

Senior Security Advisor Chester Wisniewski discusses the latest security news with regular guest Paul Ducklin in an entertaining and easily-digested quarter-hour podcast.

Monday review - the hot 17 stories of the week

Monday review - the hot stories of the week

Catch up with everything we've written in the last seven days - it's weekly roundup time.

WordPress.com boosts security for bloggers with two-factor authentication

With WordPress.com powering more than 60 million websites worldwide, anything to improve the safety and security of its users is to be welcomed.

Paul Ducklin tries out the new WordPress 2FA service on his Naked Security account...