Smashing Security

• Salesforce's trusted domain of doom

  Researchers uncovered a security flaw in Salesforce’s shiny new Agentforce. The vulnerability, dubbed "ForcedLeak", let them smuggle AI-read instructions in via humble Web-to-Lead form... and ended up spilling data for the low, low price of five dollars.And we discuss why data breach communications still default to "we take security seriously" while quietly implying "assume no breach" - until the inevitable walk-back.Plus, we take a look at ITV's phone-hacking drama with David Tennant, and take a crack at decoding the history of the Rosetta Stone.Hear all this and more in episode 437 of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley, joined this week by special guest Paul Ducklin.EPISODE LINKS:Harrods suffers new data breach exposing 430,000 customer records - Bleeping Computer.Caméras dissimulées : la CNIL sanctionne la Samaritaine - CNIL.‘Total internet blackout’ in Afghanistan sparks panic after Taliban vowed to stamp out immoral activities - CNN.ForcedLeak: AI Agent risks exposed in Salesforce AgentForce - Noma.The Hack - itvX.The Hack - YouTube.The Rosetta Stone: The Story of the Decoding of Hieroglyphics - Amazon.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:SecAlerts - SecAlerts makes your job easier by matching vulnerabilities to your software, using information as soon as it’s released. Use code SMASHING for 50% off a year subscription.ANON - Find, monitor and remove data about yourself online. Manage your digital footprint with ease. Use code SMASHING for a 25% discount.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

  --------  

  43:20

  --------

  43:20
• The €600,000 gold heist, powered by ransomware

  Ransomware doesn’t just freeze computers - it can silence alarms too. And when the Natural History Museum in Paris went dark, thieves helped themselves to €600,000 worth of gold in a daring late-night heist. Meanwhile, developers have a new headache: a worm dubbed “Shai Hulud” has wriggled its way through more than 180 npm packages, quietly stealing secrets.But it’s not all doom and gloom - unless you count your kitchen appliances turning into ad billboards.All this and more is discussed in episode 436 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and his special guest Zoë Rose.EPISODE LINKS:EU cyber agency says airport software held to ransom by criminals - BBC News.Teenagers charged over cyber attack on TfL costing millions of pounds - Sky News.Teen arrested on suspicion of Vegas Strip attack that cost $100M - SF Gate.Paris: cyber-attack hits Natural History Museum, cancels exhibition - Sortira Paris.Cybersécurité : le Grand Palais et plusieurs musées dont le Louvre victimes d’une attaque par rançongiciel - Le Parisien."Des pièces de collection nationale": le directeur du Muséum d'histoire naturelle de Paris indique que les pépites d'or volées ont "une valeur inestimable" - BFMTV.Shai-Hulud Supply Chain Attack: Worm Used to Steal Secrets, 180+ NPM Packages Hit - Security Week.Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware - Wiz.180+ NPM Packages Hit in Major Supply Chain Attack - Ox.Samsung confirms ads will now be shown on its $1,800+ fridges - UniLad.Bosch Cordless Multifunction Tool - Bosch.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORED BY:Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Trelica by 1Password - Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps - whether managed or unmanaged.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

  --------  

  39:13

  --------

  39:13
• Lights! Camera! Hacktion!

  When "bad actors" stop being hackers and start being... actual actors.This week, Graham and special guest Jenny Radcliffe play “Hacker or Ham?” (yes, Steven Seagal, we’re looking at you), before diving into a campaign which saw an Iranian gang luring Israeli performers with fake casting calls for a serious film. We unpack why positive lures can short-circuit scepticism just as effectively as fear.Plus, the UK's ICO says students are increasingly hacking their own schools.Meanwhile, Graham heads to 1960s Oxford with Endeavour, while Jenny investigates the Wirral’s mysterious "Catman".All this, and more, in episode 435 of the "Smashing Security" podcast.EPISODE LINKS:Shai-Hulud Worm Compromises npm Ecosystem in Supply Chain Attack - Unit 42.Jaguar Land Rover extends production shutdown after cyber-attack - The Guardian.AI-Driven Deepfake Military ID Fraud Campaign by Kimsuky APT - Genians.Israel says suspected Iranian hackers targeted actors in phishing attack - Iran International.Iranian Educated Manticore Targets Leading Tech Academics - Check Point.Children hacking their own schools for 'fun', watchdog warns - BBC News.Endeavour - ITVx.Crowds armed with torches hunt the “cat man” every night - Liverpool Echo.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Vanta - Expand the scope of your security program with market-leading compliance automation... while saving time and money. Smashing Security listeners get $1000 off!Adaptive Security - request a custom demo featuring a real CEO deepfake simulation today from adaptivesecurity.com.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

  --------  

  42:32

  --------

  42:32
• Whopper Hackers, and AI Whoppers

  Ever wondered what would happen if Burger King left the keys to the kingdom lying around for anyone to use? Ethical hackers did - and uncovered drive-thru recordings, hard-coded passwords, and even the power to open a Whopper outlet on the moon.Meanwhile, over in Silicon Valley, one AI wunderkind managed to turn a $7 million payday into a career-ending lawsuit by allegedly walking trade secrets straight out the door as he jumped ship for a rival.All this and much more is discussed in episode 434 of the award-winning “Smashing Security” podcast with computer security veteran Graham Cluley, joined this week by special guest Lianne Potter. Hear them they chew over catastrophic fast-food security, insider threats with extra fries, and why even the biggest brains in AI can't stop themselves from doing something utterly stupid.EPISODE LINKS:We Hacked Burger King: How Authentication Bypass Led to Drive-Thru Audio Surveillance - Internet archive wayback machine.DMCA notice - Bobdahacker.xAI sues former engineer, alleging he stole trade secrets after being paid $7M - San Francisco Standard.xAI vs Xuechen Li - Court documents.Classic Reload.Digger - Classic Reload.Kingdom of Kroz - Classic Reload.The Bad Movie Bible - YouTube.Shark Attack 3: Megalodon - YouTube.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORED BY:Drata - The world’s most advanced Trust Management platform – making risk and compliance management accessible, continuous, and 10x more automated than ever before.Trelica by 1Password - Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps - whether managed or unmanaged.Vanta - Expand the scope of your security program with market-leading compliance automation... while saving time and money. Smashing Security listeners get $1000 off!SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

  --------  

  44:51

  --------

  44:51
• How hackers turned AI into their new henchman

  Your AI reads the small print, and that's a problem. This week in episode 433 of "Smashing Security" we dig into LegalPwn - malicious instructions tucked into code comments and disclaimers that sweet-talks AI into rubber-stamping dangerous payloads (or even pretending they’re a harmless calculator).Meanwhile, new research from Anthropic reveals that hackers have already used AI agents to break into networks, steal passwords, sift through stolen data, and even write custom ransom notes. In other words, one hacker with an AI helper can work like an entire team of cybercriminals.Plus: a joyous geek detour into keyboard history, and the most diabolically annoying, fully functional AI-generated CAPTCHA that you will love to inflict on your friends.EPISODE LINKS:LegalPwn: Abusing Legal Disclaimers to Trigger Prompt Injections - Pangea Labs.LegalPwn: Tricking LLMs by burying badness in lawyerly fine print - The Register.LegalPwn Attack Tricks GenAI Tools Into Misclassifying Malware as Safe Code - HackRead.One long sentence is all it takes to make LLMs misbehave - The Register.Londoners give up eldest children in public Wi-Fi security horror show - The Guardian.Targeted social engineering is en vogue as ransom payment sizes increase - Coveware.State of Malware 2025 - ThreatDown.Cybercrime in the Age of AI - ThreatDown.Threat Intelligence Report: August 2025 - Anthropic.The Day Return Became Enter - Marcin Wichary.Ethan Mollick’s terrible AI-generated CAPTCHAs - Twitter.The very worst AI-generated CAPTCHA? - Claude.ai.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORED BY:Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy

  --------  

  45:27

  --------

  45:27

More Comedy podcasts

Trending Comedy podcasts

About Smashing Security

Smashing Security: Podcasts in Family