Sophos Naked Security Podcast

We share our technical knowledge and advice in plain English, in a style that is entertaining yet serious, with plenty of expert advice you can use both at work and at home.

Search for the words naked security in your podcast app, find us on Apple Podcasts, on Spotify and on Soundcloud, or listen to the latest episodes below.

Fun fact: Series 3 intro and outro music by Edith Mudge (

New episode every Thursday, plus bonus splinter podcasts and minisodes as special surprises!

S3 Ep60: Exchange exploit, GoDaddy breach and cookies made public

Cybersecurity tips for the holiday season and beyond. Exchange at risk from public exploit. GoDaddy loses passwords for 1.2m users. Longest-lived Windows version ever. Don’t make your cookies public. And the day that umbrellas became an anti-DDoS tool.

Episode date: Thursday 2021-11-25

S3 Ep59: Emotet, an FBI hoax, Samba bugs, and a hijackable suitcase

The infamous Emotet malware makes a comeback. Crooks smirk at the world with a fake FBI warning. Why tubes are also valves. Samba fixes an intriguing bug. The suitcase that needs no handle. And a virtual-versus-real monitor mixup.

Episode date: Thursday 2021-11-18

S3 Ep58: Faces on Facebook, scams that are complaints, and a Kaseya bust

We enjoy the Sophos 2022 Threat Report. Facebook folds up its Face Recognition feature. Crooks combine a new social engineering scam with a new way of packaging malware. Kaseya ransomware suspect busted in Poland. And how to block radio comms in a land with no hills.

Episode date: Thursday 2021-11-11

S3 Ep57: Europol v. Ransomware, Shrootless bug, and Linux browser wars

Norbert (huzzah for Norbert!) does tech support. Europol digs into the ransomware scene. Microsoft finds a wacky bug in Apple’s shell. The Morris worm turns 33. Edge on Linux phans the phlames. Ola! Gibberish peculiarity textual solvage.

Episode date: Thursday 2021-11-04

S3 Ep56: Cryptotrading rodent, ransomware hackback, and a Docusign phish

Bliss is a hill in wine country. Lessons from a cryptotrading hamster. Ransomware gang hacked back. Docusign phishers go after 2FA codes. Sleep mode considered harmful.

Episode date: Thursday 2021-10-28

S3 Ep55: Live malware, global encryption, dating scams, and secret emanations

Hook up with our forthcoming Live Malware Demo presentation. Why we think you should celebrate Global Encryption Day. A whole new twist on bogus online “friendships”. How to stop your network cables giving you away. And why superglue is NOT a cybersecurity tool!

Episode date: Thursday 2021-10-21

S3 Ep54: Another 0-day, double Apache patch, and Fight The Phish

Apple (you guessed it!) fixes yet another iPhone 0-day. Apache patches an embarrassing bug and then has to patch the patch. It’s Fight The Phish week. And the user who got punched right in the nose by a recalctrant computer.

Episode date: Thursday 2021-10-14

S3 Ep53: Apple Pay, giftcards, cybermonth, and ransomware busts

Apple Pay gets hacked (sort of). DOJ busts gift card scamming suspects. Our top tips for #Cybermonth. Ukrainian Cybercops v. ransomware crooks. A user who volunteered to RTFM!?

Episode date: Thursday 2021-10-07

S3 Ep52: Let’s Encrypt, Outlook leak, and VMware exploit

Let’s Encrypt brings HTTPS to everyone. Researchers rediscover an Outlook data leakage issue. VMware keeps it real. And when the mouse is away, the cat will play.

Episode date: Thursday 2021-09-30

S3 Ep51: OMIGOD a gaping hole, waybill scams, and Face ID hacked

A scarily exploitable hole in Microsoft open source code. A simpler take on delivery scams. A Face ID bypass hack, patched for the initial release of iOS 15. And how not to get locked in a cabling closet.

Episode date: Thursday 2021-09-23

S3 Ep50: Two 0-days plus another 0-day plus a fast food bug

Apple patches two zero-day bugs. Microsoft patches one zero-day bug. A security researcher finds a fast-food bug (non-insect sort). And a touchpad user turns right into left, and vice versa.

Episode date: Thursday 2021-09-16

S3 Ep49: Poison PACs, pointless alarms and phunky bugs

Overlooked security flaw leaves web code vulnerable. A home alarm system that almost anyone can turn off. Some fascinating Firefox bugs fixed. And when you grab your laptop… but it’s not yours.

Episode date: Thursday 2021-09-09

S3 Ep48: Cryptographic bugs, cryptocurrency nightmares, and lots of phishing

Security code flushes out security bugs. Recursion: see recursion. Phishing (and lots of it). And the Windows desktop that got so big it imploded.

Episode date: Thursday 2021-09-02

S3 Ep47: Daylight robbery, spaghetti trouble, and mousetastic superpowers

More money troubles in cryptotown. Trouble with plastic spaghetti. The mouse that conquered Windows. And the embarrassment when you report one of your very own emails as a phish.

Episode date: Thursday 2021-08-26

S3 Ep46: Copyright scams, video snooping and Grand Theft Crypto

Copyright infringement scams that beg you to call. An IoT bug that could be exploited for video snooping and more. A hacker steals $600m and then makes a song and dance out of giving it back.

Episode date: Thursday 2021-08-19

S3 Ep45: Routers attacked, hacking tool hacked, and betrayers betrayed

Home and small business routers under attack. A hacking tool favoured by crooks gets hacked. The Navajo Nation’s selfless cryptographic contribution to America. A cybercrook gets aggrieved at being ripped off by cybercrooks.

Episode date: Thursday 2021-08-12

S3 Ep44: Unreported holes, retro computing, and tech support for malware

The latent 0-day that didn’t get reported until it was too late. Retro computing: reliving the TRS-80. Crooks that help you install their malware. And a 5-minute billionaire (who ended up with $400).

Episode date: Thursday 2021-08-05

S3 Ep43: Apple 0-day, pygmy hippos, hive nightmares and Twitter hacker bust

Apple’s emergency 0-day fix. Two sorts of Windows nightmare, neither involving printers. Twitter hacker busted. And our very own Doug ruins a brand new TV.

Episode date: Thursday 2021-07-29

S3 Ep42: Viruses, Nightmares, patches, rewards and scammers

Learning from computer virus history. The PrintNightmare saga continues. Apple puts out a patch, but doesn’t say why. Snitch on a crook and earn $10 million. Scammers do grammar. And the Business Email Compromise that wasn’t.

Episode date: Thursday 2021-07-22

S3 Ep41: Crashing iPhones, PrintNightmares, and Code Red memories

We explain how a format string bug could lock your iPhone out of your own network. We revisit the PrintNightmare saga, which is sort-of fixed but not really. We look back at the 20-year-old Code Red virus. We look at what cybercriminals spend money on (hint: more cybercrime).

Episode date: Thursday 2021-07-15

S3 Ep40: Kaseya breach, PrintNightmare 0-day, and hacking versus the law

The “Independence Day Weekend” ransomware drama. The PrintNightmare nightmare continues. An email hacker gets his conviction overturned.

Episode date: Thursday 2021-07-08

S3 Ep39.5: A conversation with Eva Galperin

In this special splintersode, Kimberly Truong talks to Eva Galperin, Director of Security at the Electronic Frontier Foundation.

Episode date: Monday 2021-07-05

S3 Ep39: Paying the date,#SocialMediaDay tips, and a special splintersode

When you spend tens of pounds but get billed thousands because the system mistook the date for the amount. Our tips to make #SocialMediaDay your safest day on social media yet. And a clip from a great new privacy splintersode we’ll be airing next week.

Episode date: Thursday 2021-07-01

S3 Ep38: Clop busts, destructive Linux hacking, and rooted bicycles

Ukrainian cops bring out the BFG (Big Fearsome Grinder) and cut open some doors. A repeated request for destructive Linux code enters its 15th year. Peloton exercise bicycles found to be rootable.

Episode date: Thursday 2021-06-24

S3 Ep37: Quantum crypto, refunding Bitcoins, and Alpaca problems

Will quantum cryptography mean the end of encryption? How was the FBI able to get bitcoins back in the Colonial Pipeline ransomware case? What is the ALPACA attack, and does it make your browsing less secure?

Episode date: Thursday 2021-06-17

S3 Ep36: Trickbot coder busted, passwords cracked, and breaches judged

Alleged malware coder from the Trickbot gang arrested. 5500 passwords cracked and salaries stolen by “credential stuffing” crook. And we answer a listener’s question about just how tough to be when judging a company that’s had a breach.

Episode date: Thursday 2021-06-10

S3 Ep35: Apple chip flaw, Have I Been Pwned, and Covid tracker trouble

The fascinating tale of a bug that’s baked into Apple’s latest chip. Why the Aussie data breach warning site HIBP is partnering with the FBI. And a coronavirus tracking toolkit that fell foul of privacy rules.

Episode date: Thursday 2021-06-03

S3 Ep34: Apple bugs, scammers busted, and how crooks bypass 2FA

Apple patches a raft of serious security holes. Police arrest eight suspects in an online scamming ring. We explain how WhatsApp messages from hacked accounts are helping cybercrooks bypass 2FA.

Episode date: Thursday 2021-05-27

S3 Ep33: Eufy camera leak, Afterburner crisis, and AirTags (again)

We look into an unnerving case of mixed-up video feeds. We warn you against “going rogue” when you can’t get the download you want from the regular place. We explain how Apple’s new AirTag product got hacked (again).

Episode date: Thursday 2021-05-20

S3 Ep32: AirTag jailbreak, Dell vulns, and the never-ending scam

Apple’s brand new AirTag product got hacked already. Things you can learn from Colonial Pipeline’s ransomware misfortune. Why Dell patched a bunch of driver bugs going back more than a decade. And the “Is it you in the video?” scam just keeps on coming back.

Episode date: Thursday 2021-05-13

S3 Ep31: Apple zero-days, Flubot scammers and PHP supply chain bug

We look into Apple’s recent emergency updates that closed off four in-the-wild browser bugs. We explain how the infamous “Flubot” home delivery scam works and how to stop it. We investigate a recent security bug that threatened the PHP ecosystem.

Episode date: Thursday 2021-05-06

S3 Ep30: AirDrop worries, Linux pests and ransomware truths

We investigate whether AirDrop is really as dangerous as researchers claimed. We discuss the pestiferous problem of fake Linux bugs submitted as an academic exercise. We review the latest Sophos Ransomware Report and uncover uncomfortable truths about paying up.

Episode date: Thursday 2021-04-29

S3 Ep29: Anti-tracking, rowhammer problems and IoT vulns

How Firefox showed the hand to a widely abused online tracking trick. Why reading from one part of your computer’s memory can paradoxically (and sneakily) let you write to another part. And yet more IoT bugs, this time a whole slew of them that go by the moniker “name:wreck”.

Episode date: Thursday 2021-04-22

S3 Ep28.5: Hacking back – is attack an acceptable form of defence?

Sophos cybersecurity expert Chester Wisniewski provides excellent, topical and timely commentary on the FBI’s recent use of a malware-like method to forcibly clean up hundreds of servers still infected in the Hafnium aftermath.

Episode date: Friday 2021-04-16

S3 Ep28: Pwn2Own hacks, dark web hitmen and COVID-19 privacy

We look at the big-money hacks from the 2021 Pwn2Own competition. We investigate the difficulties of hiring an assassin via the dark web. We wrestle with some of the privacy issues relating to COVID-19 infection tracking apps.

Episode date: Thursday 2021-04-15

S3 Ep27: Census scammers, beg bounties and data breach fines

How scammers copied a government website almost to perfection. What to do about those fake “bug” hunters who ask for payment for finding “vulnerabilities” that aren’t. Why the Dutch data protection authority fined for not sending in a data breach disclosure fast enough.

Episode date: Thursday 2021-04-08

S3 Ep26: Apple 0-day, crypto vulnerabilities and PHP backdoor

Why Apple had to rush out a security update for iDevices. Two cryptographic security holes patched in OpenSSL. How PHP nearly got backdoored by crooks.

Episode date: Thursday 2021-04-01

S3 Ep25: Drained accounts, ransomware attacks and Linux badware

How a social engineer ripped off a victim lured in by one of those “small outstanding fee to pay” home delivery scams. The ransomware crooks targeting networks that still haven’t done their Hafnium patches. And the Linux kernel security holes that lay there undiscovered for 15 years.

Episode date: Thursday 2021-03-25

S3 Ep24: How not to get snooped, scammed or hoaxed

An iPhone app that allowed anyone to snoop on anyone’s calls. A data breach where 150,000 surveillance cameras protecting hundreds or thousands of customers were apparently “secured” by a single password. And please don’t forget: “Don’t spread hoaxes, folkses.”

Episode date: Thursday 2021-03-18

S3 Ep23.5: An interview with cybersecurity expert John Noble CBE

John Noble was Director of Incident Management at the UK’s National Cyber Security Centre (NCSC) until his retirement in 2018. During his 40 years of Government service, John specialised in operational delivery and strategic business change. For his work in creating effective partnerships in the run up to the London Olympics, he was made a Commander of the British Empire (CBE) in 2012.

John helped to establish the NCSC and led the response to nearly 800 significant cyberincidents. This work has given him unrivalled experience in dealing with and understanding the causes of cyberattacks.

John is currently a non-executive director at NHS Digital, where he chairs the Information Assurance and Cyber Security Committee. NHS Digital is the national information and technology partner to the health and social care system in England.

Episode date: Monday 2021-03-15

S3 Ep23: Hafnium happenings, I see you, and Pythonic poison

Getting to grips with the HAFNIUM gang/vulnerabilities/exploits/webshells/attacks. Why it’s important to think before you share those home-based selfies. What you need to know about social engineering. How (not!) to prove a point when you’re a programmer.

Episode date: Thursday 2021-03-11

S3 Ep22: Cryptographic escapes and social media scams

How to stop security-conscious apps from allowing unencrypted data to escape, and how scammers put social network users under pressure in order to steal their passwords.

Episode date: Thursday 2021-03-04

S3 Ep21: Cryptomining clampdown, the 100-ton man, and ScamClub ads

The graphics card that wants you to stick to playing games, the man that didn’t weigh 100 tons after all, and the marketing gang that used a browser bug to bombard iPhone users with scammy online surveys.

Episode date: Thursday 2021-02-25

S3 Ep20: Corporate megahacking, true love gone bad, and tax grabs

How a bug hunter snuck into the internal networks of 35 megacorporations. Why romance scams are going stronger than ever (and how to avoid them). What to do about those tempting but treacherous “tax refund” messages. And a listener tells us how he got a bit carried away while he was gardening…

Episode date: Thursday 2021-02-18

S3 Ep19.5: How NOT to be a bug bounty hunter

How does bug bounty hunting work? What should you do if you get a bug report that doesn’t follow established protocol? We tell you how to deal with so-called “beg bounties“, where self-styled “experts” beg you for money or even threaten you with ill-defined “problems” they claim to have found.

Episode date: Friday 2021-02-12

S3 Ep19: Chrome zero-day, coffee hacking and stolen

We delve into Google’s tight-lipped Chrome bugfix, explain how a Belgian researcher awarded himself 111,848 cups of coffee, and discuss the audacious but thankfully temporary theft of the domain.

Episode date: Thursday 2021-02-11

S3 Ep18: Apple emergency, crypto blunder and botnet takedown

Apple pushed out an iOS update in something of a hurry to shut down a serious 0-day bug. The GnuPG team scrambled to fix an ironic vulnerability. And Europol reported on a successful takedown operation against the notorious Emotet malware.

Episode date: Thursday 2021-02-04

S3 Ep17: Facemasks, hidden ads and paranormal hacking

What’s the connection between coronavirus facemasks and fingerprint biometrics? Who would have expected funky job ads on the White House website? And who would you call if you spotted a deceased former colleague hanging out on your network?

Episode date: Thursday 2021-01-28

S3 Ep16: Darkweb bust, security at home, and browser snoopage

Anonymous and private, yet busted – we explain how darkweb sites sometimes keep your secrets… and sometimes don’t. We help you improve your cybersecurity at home. And we tell you the tale of a company with a cool name but allegedly with creepy habits coded into its browser extensions.

Episode date: Thursday 2021-01-21

S3 Ep15.5: Home schooling – how to stay secure

Thanks to coronavirus lockdown rules in the UK, and the temporary closure of all schools, Sally Adam suddenly found herself responsible for cybersecurity where it mattered more than ever: on a home network that jointly served for home, work and school.

Paul Ducklin talks to Sally about how she did it, and how to keep your own family’s digital life safe.

Episode date: Tuesday 2021-01-19

S3 Ep15: Titan keys, Mimecast certs and Solarwinds

We explain how two French researchers hacked the Google Titan security key product (but why you don’t need to panic), and dig into the Mimecast certificate compromise story to see what we can all learn from it.

Episode date: Thursday 2021-01-14

S3 Ep14: Money scams, HTTPS by default, and hardcoded passwords

We advise you how to react when a friend suddenly asks for money, explain why Chromium is finally aiming for HTTPS by default, and warn you why you should never, ever hardcode passwords into your software.

Episode date: Thursday 2021-01-07

S3 Ep13: A chat with hacker Keren Elazari

How did the movie “Hackers” inspire a girl to grow up to become a hacker herself? Find out from security analyst, friendly hacker and TED Talk speaker Keren Elazari.

Hear about Keren’s incredible journey, why hackers should be welcomed with open arms, and the inspiration that guided her career.

Episode date: Thursday 2020-12-31

S3 Ep12: A chat with social engineering hacker Rachel Tobac

How do you go from neuroscientist to DEFCON Social Engineering Capture the Flag champ? Find out from hacker and social engineering expert Rachel Tobac.

Join us for a fascinating interview with Rachel about her journey, why you should always be “politely paranoid”, and the people who inspired her along the way.

Episode date: Thursday 2020-12-24

S3 Ep11: DIY phishes, sandwich scams and vaccine hacking

We look at phishing tricks that really work, investigate a bizarre scam involving Subway sandwiches, and ask whether cybercriminals have lost their interest in the rest of us now they have coronavirus-related targets to go after.

Episode date: Thursday 2020-12-17

S3 Ep10.5: 20 years of cyberthreats that shaped infosec

We interview Sophos expert John Shier about his recently published paper, “20 years of cyberthreats that shaped information security“.

Join John on a dizzying journey all the way from legendary viruses such as ILOVEYOU and Code Red, which flooded the internet in 2000, to present-day ransomware gangs like Ryuk and REvil, who are extorting millions of dollars in blackmail money per attack.

Episode date: Sunday 2020-12-13

S3 Ep10: Hacking iPhones, sunken Enigmas and double scams

We dig into research that figured out a way to steal data from iPhones wirelessly; we tell the fascinating story of how environmentalist divers in Germany came across an old Enigma cipher machine at the bottom of the Baltic sea; and we give you advice on how to talk to phone scammers.

Episode date: Thursday 2020-12-10

S3 Ep9: Gift card hacks, dubious doorbells and Wi-Fi tips

We look at a network intrusion where the crooks tried to take over dozens of different online accounts from every user, we discuss the potential dangers of digital doorbells, and we give you some handy hints for improving your wireless security at home.

Episode date: Thursday 2020-12-03

S3 Ep8: A conversation with Katie Moussouris

How do you go from pentester to creator of Microsoft’s bug bounty program? Find out from hacker and vulnerability disclosure pioneer, Katie Moussouris, CEO of Luta Security.

Join us for a fascinating interview with Katie (@k8em0) about her journey, the bugs in bug bounty programs, and the people who inspired her along the way.

Episode date: Thursday 2020-11-26

S3 Ep7: When ransomware crooks get a big fat zero!

We say thanks to companies that refuse to pay ransomware hush money, dig into the new Sophos 2021 Threat Report, and take a quick look inside a malicious Linux kernel driver. Also, a sneak preview of our upcoming podcast interview with bug bounty pioneer Katie Moussouris.

Episode date: Thursday 2020-11-19

S3 Ep6: How not to get scammed

When payments go astray, why “just in case” cybersecurity warnings do more harm than good, how to shop safely on Black Friday and beyond, and (oh! no!) what to do when all your emails disappear.

Episode date: Thursday 2020-11-12

S3 Ep5: Chrome, Flash and malware for sale

A zero-day bug in Chrome for Android, the imminent death of Adobe Flash, the evolution of “malware-as-a-service“, and the malware risks from image search. Also (oh! no!), why you should take care before you pair.

Episode date: Thursday 2020-11-05

S3 Ep4.5: FBI “ransomware warning” for healthcare is a warning for everyone

Two days before we recorded this minisode, the FBI, CISA and HHS released an unprecedented warning of “an increased and imminent cybercrime threat to US hospitals and healthcare providers.” Chester Wisniewski, Principal Research Scientist at Sophos, discusses what the threat is, what this advisory means, and why this warning is a warning for everyone.

Episode date: Friday 2020-10-30

S3 Ep4: Now THAT’S what I call a fire alarm!

Facebook scammers trick you with fake copyright notices, voice scammers automate their attacks on the vulnerable, how to tune up your mobile privacy, and (oh! no!) the best/worst IT helpdesk call ever.

Episode date: Thursday 2020-10-29

S3 Ep3: Breaking crypto, busting hackers and pwning Chrome

The DOJ’s attempt to reignite the Battle to Break Encryption; the story of the Russian hackers behind the Sandworm Team; a zero-day bug just patched in Chrome; and (oh no!) why your vocabulary needs the word “restore” even more than it needs “backup”.

Episode date: Thursday 2020-10-22

S3 Ep2: Creepy smartwatches, botnets and Pings of Death

We investigate a creepy smartwatch for kids, discuss Microsoft’s short-lived takedown of Trickbot, explain how to avoid the Windows “Ping of Death” bug, and (oh no!) find the source of mysterious beeping from every computer in the office.

Episode date: Thursday 2020-10-15

S3 Ep1: Ransomware – is it really OK to pay?

We wonder whether Cybersecurity Awareness Month is a waste of time, explain the concept of “linkless phishing“, ask if it’s ever OK to pay a ransomware demand, and advise what to do when the CEO won’t stop looking at naughty sites.

Episode date: Thursday 2020-10-08

S3 Trailer: We’re back!

Get ready. A brand new series arrives Thursday, 8 October 2020.

Trailer date: Tuesday 2020-10-06