We share our technical knowledge and advice in plain English, in a style that is entertaining yet serious, with plenty of expert advice you can use both at work and at home.
Fun fact: Series 3 intro and outro music by Edith Mudge (https://www.edithmudge.com).
New episode every Thursday, plus bonus splinter podcasts and minisodes as special surprises!
S3 Ep54: Another 0-day, double Apache patch, and Fight The Phish
Episode date: Thursday 2021-10-14
S3 Ep53: Apple Pay, giftcards, cybermonth, and ransomware busts
Episode date: Thursday 2021-10-07
S3 Ep52: Let’s Encrypt, Outlook leak, and VMware exploit
Episode date: Thursday 2021-09-30
S3 Ep51: OMIGOD a gaping hole, waybill scams, and Face ID hacked
A scarily exploitable hole in Microsoft open source code. A simpler take on delivery scams. A Face ID bypass hack, patched for the initial release of iOS 15. And how not to get locked in a cabling closet.
Episode date: Thursday 2021-09-23
S3 Ep50: Two 0-days plus another 0-day plus a fast food bug
Episode date: Thursday 2021-09-16
S3 Ep49: Poison PACs, pointless alarms and phunky bugs
Episode date: Thursday 2021-09-09
S3 Ep48: Cryptographic bugs, cryptocurrency nightmares, and lots of phishing
Episode date: Thursday 2021-09-02
S3 Ep47: Daylight robbery, spaghetti trouble, and mousetastic superpowers
Episode date: Thursday 2021-08-26
S3 Ep46: Copyright scams, video snooping and Grand Theft Crypto
Episode date: Thursday 2021-08-19
S3 Ep45: Routers attacked, hacking tool hacked, and betrayers betrayed
Home and small business routers under attack. A hacking tool favoured by crooks gets hacked. The Navajo Nation’s selfless cryptographic contribution to America. A cybercrook gets aggrieved at being ripped off by cybercrooks.
Episode date: Thursday 2021-08-12
S3 Ep44: Unreported holes, retro computing, and tech support for malware
Episode date: Thursday 2021-08-05
S3 Ep43: Apple 0-day, pygmy hippos, hive nightmares and Twitter hacker bust
Episode date: Thursday 2021-07-29
S3 Ep42: Viruses, Nightmares, patches, rewards and scammers
Learning from computer virus history. The PrintNightmare saga continues. Apple puts out a patch, but doesn’t say why. Snitch on a crook and earn $10 million. Scammers do grammar. And the Business Email Compromise that wasn’t.
Episode date: Thursday 2021-07-22
S3 Ep41: Crashing iPhones, PrintNightmares, and Code Red memories
We explain how a format string bug could lock your iPhone out of your own network. We revisit the PrintNightmare saga, which is sort-of fixed but not really. We look back at the 20-year-old Code Red virus. We look at what cybercriminals spend money on (hint: more cybercrime).
Episode date: Thursday 2021-07-15
S3 Ep40: Kaseya breach, PrintNightmare 0-day, and hacking versus the law
Episode date: Thursday 2021-07-08
S3 Ep39.5: A conversation with Eva Galperin
In this special splintersode, Kimberly Truong talks to Eva Galperin, Director of Security at the Electronic Frontier Foundation.
Episode date: Monday 2021-07-05
S3 Ep39: Paying the date,#SocialMediaDay tips, and a special splintersode
When you spend tens of pounds but get billed thousands because the system mistook the date for the amount. Our tips to make #SocialMediaDay your safest day on social media yet. And a clip from a great new privacy splintersode we’ll be airing next week.
Episode date: Thursday 2021-07-01
S3 Ep38: Clop busts, destructive Linux hacking, and rooted bicycles
Episode date: Thursday 2021-06-24
S3 Ep37: Quantum crypto, refunding Bitcoins, and Alpaca problems
Will quantum cryptography mean the end of encryption? How was the FBI able to get bitcoins back in the Colonial Pipeline ransomware case? What is the ALPACA attack, and does it make your browsing less secure?
Episode date: Thursday 2021-06-17
S3 Ep36: Trickbot coder busted, passwords cracked, and breaches judged
Alleged malware coder from the Trickbot gang arrested. 5500 passwords cracked and salaries stolen by “credential stuffing” crook. And we answer a listener’s question about just how tough to be when judging a company that’s had a breach.
Episode date: Thursday 2021-06-10
S3 Ep35: Apple chip flaw, Have I Been Pwned, and Covid tracker trouble
The fascinating tale of a bug that’s baked into Apple’s latest chip. Why the Aussie data breach warning site HIBP is partnering with the FBI. And a coronavirus tracking toolkit that fell foul of privacy rules.
Episode date: Thursday 2021-06-03
S3 Ep34: Apple bugs, scammers busted, and how crooks bypass 2FA
Episode date: Thursday 2021-05-27
S3 Ep33: Eufy camera leak, Afterburner crisis, and AirTags (again)
We look into an unnerving case of mixed-up video feeds. We warn you against “going rogue” when you can’t get the download you want from the regular place. We explain how Apple’s new AirTag product got hacked (again).
Episode date: Thursday 2021-05-20
S3 Ep32: AirTag jailbreak, Dell vulns, and the never-ending scam
Apple’s brand new AirTag product got hacked already. Things you can learn from Colonial Pipeline’s ransomware misfortune. Why Dell patched a bunch of driver bugs going back more than a decade. And the “Is it you in the video?” scam just keeps on coming back.
Episode date: Thursday 2021-05-13
S3 Ep31: Apple zero-days, Flubot scammers and PHP supply chain bug
We look into Apple’s recent emergency updates that closed off four in-the-wild browser bugs. We explain how the infamous “Flubot” home delivery scam works and how to stop it. We investigate a recent security bug that threatened the PHP ecosystem.
Episode date: Thursday 2021-05-06
S3 Ep30: AirDrop worries, Linux pests and ransomware truths
We investigate whether AirDrop is really as dangerous as researchers claimed. We discuss the pestiferous problem of fake Linux bugs submitted as an academic exercise. We review the latest Sophos Ransomware Report and uncover uncomfortable truths about paying up.
Episode date: Thursday 2021-04-29
S3 Ep29: Anti-tracking, rowhammer problems and IoT vulns
How Firefox showed the hand to a widely abused online tracking trick. Why reading from one part of your computer’s memory can paradoxically (and sneakily) let you write to another part. And yet more IoT bugs, this time a whole slew of them that go by the moniker “name:wreck”.
Episode date: Thursday 2021-04-22
S3 Ep28.5: Hacking back – is attack an acceptable form of defence?
Sophos cybersecurity expert Chester Wisniewski provides excellent, topical and timely commentary on the FBI’s recent use of a malware-like method to forcibly clean up hundreds of servers still infected in the Hafnium aftermath.
Episode date: Friday 2021-04-16
S3 Ep28: Pwn2Own hacks, dark web hitmen and COVID-19 privacy
We look at the big-money hacks from the 2021 Pwn2Own competition. We investigate the difficulties of hiring an assassin via the dark web. We wrestle with some of the privacy issues relating to COVID-19 infection tracking apps.
Episode date: Thursday 2021-04-15
S3 Ep27: Census scammers, beg bounties and data breach fines
How scammers copied a government website almost to perfection. What to do about those fake “bug” hunters who ask for payment for finding “vulnerabilities” that aren’t. Why the Dutch data protection authority fined Booking.com for not sending in a data breach disclosure fast enough.
Episode date: Thursday 2021-04-08
S3 Ep26: Apple 0-day, crypto vulnerabilities and PHP backdoor
Episode date: Thursday 2021-04-01
S3 Ep25: Drained accounts, ransomware attacks and Linux badware
How a social engineer ripped off a victim lured in by one of those “small outstanding fee to pay” home delivery scams. The ransomware crooks targeting networks that still haven’t done their Hafnium patches. And the Linux kernel security holes that lay there undiscovered for 15 years.
Episode date: Thursday 2021-03-25
S3 Ep24: How not to get snooped, scammed or hoaxed
An iPhone app that allowed anyone to snoop on anyone’s calls. A data breach where 150,000 surveillance cameras protecting hundreds or thousands of customers were apparently “secured” by a single password. And please don’t forget: “Don’t spread hoaxes, folkses.”
Episode date: Thursday 2021-03-18
S3 Ep23.5: An interview with cybersecurity expert John Noble CBE
John Noble was Director of Incident Management at the UK’s National Cyber Security Centre (NCSC) until his retirement in 2018. During his 40 years of Government service, John specialised in operational delivery and strategic business change. For his work in creating effective partnerships in the run up to the London Olympics, he was made a Commander of the British Empire (CBE) in 2012.
John helped to establish the NCSC and led the response to nearly 800 significant cyberincidents. This work has given him unrivalled experience in dealing with and understanding the causes of cyberattacks.
John is currently a non-executive director at NHS Digital, where he chairs the Information Assurance and Cyber Security Committee. NHS Digital is the national information and technology partner to the health and social care system in England.
Episode date: Monday 2021-03-15
S3 Ep23: Hafnium happenings, I see you, and Pythonic poison
Getting to grips with the HAFNIUM gang/vulnerabilities/exploits/webshells/attacks. Why it’s important to think before you share those home-based selfies. What you need to know about social engineering. How (not!) to prove a point when you’re a programmer.
Episode date: Thursday 2021-03-11
S3 Ep22: Cryptographic escapes and social media scams
Episode date: Thursday 2021-03-04
S3 Ep21: Cryptomining clampdown, the 100-ton man, and ScamClub ads
The graphics card that wants you to stick to playing games, the man that didn’t weigh 100 tons after all, and the marketing gang that used a browser bug to bombard iPhone users with scammy online surveys.
Episode date: Thursday 2021-02-25
S3 Ep20: Corporate megahacking, true love gone bad, and tax grabs
How a bug hunter snuck into the internal networks of 35 megacorporations. Why romance scams are going stronger than ever (and how to avoid them). What to do about those tempting but treacherous “tax refund” messages. And a listener tells us how he got a bit carried away while he was gardening…
Episode date: Thursday 2021-02-18
S3 Ep19.5: How NOT to be a bug bounty hunter
How does bug bounty hunting work? What should you do if you get a bug report that doesn’t follow established protocol? We tell you how to deal with so-called “beg bounties“, where self-styled “experts” beg you for money or even threaten you with ill-defined “problems” they claim to have found.
Episode date: Friday 2021-02-12
S3 Ep19: Chrome zero-day, coffee hacking and Perl.com stolen
We delve into Google’s tight-lipped Chrome bugfix, explain how a Belgian researcher awarded himself 111,848 cups of coffee, and discuss the audacious but thankfully temporary theft of the Perl.com domain.
Episode date: Thursday 2021-02-11
S3 Ep18: Apple emergency, crypto blunder and botnet takedown
Apple pushed out an iOS update in something of a hurry to shut down a serious 0-day bug. The GnuPG team scrambled to fix an ironic vulnerability. And Europol reported on a successful takedown operation against the notorious Emotet malware.
Episode date: Thursday 2021-02-04
S3 Ep17: Facemasks, hidden ads and paranormal hacking
What’s the connection between coronavirus facemasks and fingerprint biometrics? Who would have expected funky job ads on the White House website? And who would you call if you spotted a deceased former colleague hanging out on your network?
Episode date: Thursday 2021-01-28
S3 Ep16: Darkweb bust, security at home, and browser snoopage
Anonymous and private, yet busted – we explain how darkweb sites sometimes keep your secrets… and sometimes don’t. We help you improve your cybersecurity at home. And we tell you the tale of a company with a cool name but allegedly with creepy habits coded into its browser extensions.
Episode date: Thursday 2021-01-21
S3 Ep15.5: Home schooling – how to stay secure
Thanks to coronavirus lockdown rules in the UK, and the temporary closure of all schools, Sally Adam suddenly found herself responsible for cybersecurity where it mattered more than ever: on a home network that jointly served for home, work and school.
Paul Ducklin talks to Sally about how she did it, and how to keep your own family’s digital life safe.
Episode date: Tuesday 2021-01-19
S3 Ep15: Titan keys, Mimecast certs and Solarwinds
We explain how two French researchers hacked the Google Titan security key product (but why you don’t need to panic), and dig into the Mimecast certificate compromise story to see what we can all learn from it.
Episode date: Thursday 2021-01-14
S3 Ep14: Money scams, HTTPS by default, and hardcoded passwords
We advise you how to react when a friend suddenly asks for money, explain why Chromium is finally aiming for HTTPS by default, and warn you why you should never, ever hardcode passwords into your software.
Episode date: Thursday 2021-01-07
S3 Ep13: A chat with hacker Keren Elazari
How did the movie “Hackers” inspire a girl to grow up to become a hacker herself? Find out from security analyst, friendly hacker and TED Talk speaker Keren Elazari.
Hear about Keren’s incredible journey, why hackers should be welcomed with open arms, and the inspiration that guided her career.
Episode date: Thursday 2020-12-31
S3 Ep12: A chat with social engineering hacker Rachel Tobac
How do you go from neuroscientist to DEFCON Social Engineering Capture the Flag champ? Find out from hacker and social engineering expert Rachel Tobac.
Join us for a fascinating interview with Rachel about her journey, why you should always be “politely paranoid”, and the people who inspired her along the way.
Episode date: Thursday 2020-12-24
S3 Ep11: DIY phishes, sandwich scams and vaccine hacking
We look at phishing tricks that really work, investigate a bizarre scam involving Subway sandwiches, and ask whether cybercriminals have lost their interest in the rest of us now they have coronavirus-related targets to go after.
Episode date: Thursday 2020-12-17
S3 Ep10.5: 20 years of cyberthreats that shaped infosec
We interview Sophos expert John Shier about his recently published paper, “20 years of cyberthreats that shaped information security“.
Join John on a dizzying journey all the way from legendary viruses such as ILOVEYOU and Code Red, which flooded the internet in 2000, to present-day ransomware gangs like Ryuk and REvil, who are extorting millions of dollars in blackmail money per attack.
Episode date: Sunday 2020-12-13
S3 Ep10: Hacking iPhones, sunken Enigmas and double scams
We dig into research that figured out a way to steal data from iPhones wirelessly; we tell the fascinating story of how environmentalist divers in Germany came across an old Enigma cipher machine at the bottom of the Baltic sea; and we give you advice on how to talk to phone scammers.
Episode date: Thursday 2020-12-10
S3 Ep9: Gift card hacks, dubious doorbells and Wi-Fi tips
We look at a network intrusion where the crooks tried to take over dozens of different online accounts from every user, we discuss the potential dangers of digital doorbells, and we give you some handy hints for improving your wireless security at home.
Episode date: Thursday 2020-12-03
S3 Ep8: A conversation with Katie Moussouris
How do you go from pentester to creator of Microsoft’s bug bounty program? Find out from hacker and vulnerability disclosure pioneer, Katie Moussouris, CEO of Luta Security.
Join us for a fascinating interview with Katie (@k8em0) about her journey, the bugs in bug bounty programs, and the people who inspired her along the way.
Episode date: Thursday 2020-11-26
S3 Ep7: When ransomware crooks get a big fat zero!
We say thanks to companies that refuse to pay ransomware hush money, dig into the new Sophos 2021 Threat Report, and take a quick look inside a malicious Linux kernel driver. Also, a sneak preview of our upcoming podcast interview with bug bounty pioneer Katie Moussouris.
Episode date: Thursday 2020-11-19
S3 Ep6: How not to get scammed
Episode date: Thursday 2020-11-12
S3 Ep5: Chrome, Flash and malware for sale
A zero-day bug in Chrome for Android, the imminent death of Adobe Flash, the evolution of “malware-as-a-service“, and the malware risks from image search. Also (oh! no!), why you should take care before you pair.
Episode date: Thursday 2020-11-05
S3 Ep4.5: FBI “ransomware warning” for healthcare is a warning for everyone
Two days before we recorded this minisode, the FBI, CISA and HHS released an unprecedented warning of “an increased and imminent cybercrime threat to US hospitals and healthcare providers.” Chester Wisniewski, Principal Research Scientist at Sophos, discusses what the threat is, what this advisory means, and why this warning is a warning for everyone.
Episode date: Friday 2020-10-30
S3 Ep4: Now THAT’S what I call a fire alarm!
Facebook scammers trick you with fake copyright notices, voice scammers automate their attacks on the vulnerable, how to tune up your mobile privacy, and (oh! no!) the best/worst IT helpdesk call ever.
Episode date: Thursday 2020-10-29
S3 Ep3: Breaking crypto, busting hackers and pwning Chrome
The DOJ’s attempt to reignite the Battle to Break Encryption; the story of the Russian hackers behind the Sandworm Team; a zero-day bug just patched in Chrome; and (oh no!) why your vocabulary needs the word “restore” even more than it needs “backup”.
Episode date: Thursday 2020-10-22
S3 Ep2: Creepy smartwatches, botnets and Pings of Death
We investigate a creepy smartwatch for kids, discuss Microsoft’s short-lived takedown of Trickbot, explain how to avoid the Windows “Ping of Death” bug, and (oh no!) find the source of mysterious beeping from every computer in the office.
Episode date: Thursday 2020-10-15
S3 Ep1: Ransomware – is it really OK to pay?
We wonder whether Cybersecurity Awareness Month is a waste of time, explain the concept of “linkless phishing“, ask if it’s ever OK to pay a ransomware demand, and advise what to do when the CEO won’t stop looking at naughty sites.
Episode date: Thursday 2020-10-08
S3 Trailer: We’re back!
Get ready. A brand new series arrives Thursday, 8 October 2020.
Trailer date: Tuesday 2020-10-06