How to hack a prison, and the hidden threat of online checkouts
A literal insider threat: we head to a Romanian prison where “self-service” web kiosks allowed inmates to run wild. Then we head to the checkout aisle to ask why JavaScript on payment pages went feral, and how new PCI DSS rules are finally muzzling Magecart-style skimmers.Plus: Graham reveals his new-found superpower with Keyboard Maestro, and Scott describes a slick new way to whip up beautiful how-to videos with Screen Studio.All this and more is discussed in episode 440 of "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and special guest Scott Helme.EPISODE LINKS:What caused the AWS outage - and why did it make the internet fall apart? - BBC News.China blames US for cyber break-in, claims America is world's biggest bit burglar - The Register.Nintendo allegedly hacked by Crimson Collective hacking group - screenshot shows leaked folders, production assets, developer files, and backups - Tom’s Hardware.Romanian inmate hacks into prison IT system, modifies sentences for others - Romania Insider.New Version of PCI DSS Designed to Tackle Emerging Payment Threats - Infosecurity Magazine.What is Magecart? How this hacker group steals payment card data - CSO.Keyboard Maestro.Screen Studio.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:ANON - Find, monitor and remove data about yourself online. Manage your digital footprint with ease. Use code SMASHING for a 25% discount.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Trelica by 1Password - Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps - whether managed or unmanaged.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy
--------
44:04
--------
44:04
A breach, a burnout, and a bit of Fleetwood Mac
A critical infrastructure hack hits the headlines - involving default passwords, boasts on Telegram, and a finale that will make a few cyber-crooks wish the ground would swallow them whole. Meanwhile we dig into the bit we don't talk about enough: the human cost of defending companies from hackers - stress, burnout, and how better leadership culture can help make security teams safer and saner.Plus we say a heartfelt "la di dah" to Diane Keaton, and tune in to a freshly re-released slice of pre-Fleetwood Mac history for the music-obsessed amongst us. All this and more is discussed in episode 439 of "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and his special guest Annabel Berry.EPISODE LINKS:Cyber-attacks rise by 50% in past year, UK security agency says - The Guardian.What does the end of free support for Windows 10 mean for its users? - The Guardian.Satellites found exposing unencrypted data, including phone calls and some military comms - TechCrunch.Anatomy of a Hacktivist Attack: Russian-Aligned Group Targets OT/ICS - Forescout.Caught in the act: Ransomware attack sticks to our AI-created honeypot - Forescout.Human Performance in Security Operations: A Survey on Burnout, Wellbeing and Flow State Among Practitioners - NDSS Symposium.State of the Security Profession 23/24 - Chartered Institute of Information Security.Leading Cyber.Mental Health in Cybersecurity Foundation.“Play it Again, Sam” - IMDB.“Play it Again, Sam” clip - YouTube.“Buckingham Nicks” - Spotify.Fleetwood Mac - Silver Springs (Live, 1997) - YouTube.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)If anything we've discussed today has resonated with you, or if you're going through a tough time, please know you are not alone. There is always someone ready to listen, without judgment. Here are a few of the available resources:Shout - text 85258 (24x7)Samaritans - tel 116123 (24x7)Suicide prevention - tel 0800 689 5652 (6pm - 3.30am)SANEline - tel 0300 304 7000 (4.30pm - 10.30pm)SPONSORS:SecAlerts - SecAlerts makes your job easier by matching vulnerabilities to your software, using information as soon as it’s released. Use code SMASHING for 50% off a year subscription.ANON - Find, monitor and remove data about yourself online. Manage your digital footprint with ease. Use code SMASHING for a 25% discount.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy
--------
45:17
--------
45:17
When your mouse turns snitch, and hackers grow a conscience
Your computer's mouse might not be as innocent as it looks - and one ransomware crew has a crisis of conscience that nobody saw coming.We talk about how something as ordinary as a web page could turn your mouse into a surprisingly nosey neighbour, and why ransomware gangs need to think carefully about their reputation.Meanwhile, Graham reveals a baked potato hack that might just change your life, and we take an unexpected detour to South America for a bit of literary adventure involving inflatable pigs.All this and more is discussed in episode 438 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and his special guest Geoff White.EPISODE LINKS:Discord users' data stolen by hackers in third-party data breach - Bitdefender.North Korean hackers increasingly targeting wealthy crypto holders - BBC News.Scattered Lapsus$ Hunters offering $10 in Bitcoin to 'endlessly harass' execs - The Register.Vacanti mouse - Wikipedia.Mic-E-Mouse.Invisible Ears at Your Fingertips: Acoustic Eavesdropping via Mouse Sensors - Arvix.Mic-E-Mouse Pipeline Demonstration - YouTube.Hackers say they have deleted children's pictures and data after nursery attack backlash - BBC News.Baked Potato - Wikipedia.“At the Tomb of the Inflatable Pig: Travels through Paraguay” - Penguin.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Vanta - Expand the scope of your security program with market-leading compliance automation... while saving time and money. Smashing Security listeners get $1000 off.Trelica by 1Password - Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps - whether managed or unmanaged.Drata - The world’s most advanced Trust Management platform – making risk and compliance management accessible, continuous, and 10x more automated than ever before.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy
--------
42:18
--------
42:18
Salesforce's trusted domain of doom
Researchers uncovered a security flaw in Salesforce’s shiny new Agentforce. The vulnerability, dubbed "ForcedLeak", let them smuggle AI-read instructions in via humble Web-to-Lead form... and ended up spilling data for the low, low price of five dollars.And we discuss why data breach communications still default to "we take security seriously" while quietly implying "assume no breach" - until the inevitable walk-back.Plus, we take a look at ITV's phone-hacking drama with David Tennant, and take a crack at decoding the history of the Rosetta Stone.Hear all this and more in episode 437 of the "Smashing Security" podcast by cybersecurity veteran Graham Cluley, joined this week by special guest Paul Ducklin.EPISODE LINKS:Harrods suffers new data breach exposing 430,000 customer records - Bleeping Computer.Caméras dissimulées : la CNIL sanctionne la Samaritaine - CNIL.‘Total internet blackout’ in Afghanistan sparks panic after Taliban vowed to stamp out immoral activities - CNN.ForcedLeak: AI Agent risks exposed in Salesforce AgentForce - Noma.The Hack - itvX.The Hack - YouTube.The Rosetta Stone: The Story of the Decoding of Hieroglyphics - Amazon.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:SecAlerts - SecAlerts makes your job easier by matching vulnerabilities to your software, using information as soon as it’s released. Use code SMASHING for 50% off a year subscription.ANON - Find, monitor and remove data about yourself online. Manage your digital footprint with ease. Use code SMASHING for a 25% discount.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy
--------
43:20
--------
43:20
The €600,000 gold heist, powered by ransomware
Ransomware doesn’t just freeze computers - it can silence alarms too. And when the Natural History Museum in Paris went dark, thieves helped themselves to €600,000 worth of gold in a daring late-night heist. Meanwhile, developers have a new headache: a worm dubbed “Shai Hulud” has wriggled its way through more than 180 npm packages, quietly stealing secrets.But it’s not all doom and gloom - unless you count your kitchen appliances turning into ad billboards.All this and more is discussed in episode 436 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and his special guest Zoë Rose.EPISODE LINKS:EU cyber agency says airport software held to ransom by criminals - BBC News.Teenagers charged over cyber attack on TfL costing millions of pounds - Sky News.Teen arrested on suspicion of Vegas Strip attack that cost $100M - SF Gate.Paris: cyber-attack hits Natural History Museum, cancels exhibition - Sortira Paris.Cybersécurité : le Grand Palais et plusieurs musées dont le Louvre victimes d’une attaque par rançongiciel - Le Parisien."Des pièces de collection nationale": le directeur du Muséum d'histoire naturelle de Paris indique que les pépites d'or volées ont "une valeur inestimable" - BFMTV.Shai-Hulud Supply Chain Attack: Worm Used to Steal Secrets, 180+ NPM Packages Hit - Security Week.Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware - Wiz.180+ NPM Packages Hit in Major Supply Chain Attack - Ox.Samsung confirms ads will now be shown on its $1,800+ fridges - UniLad.Bosch Cordless Multifunction Tool - Bosch.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORED BY:Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Trelica by 1Password - Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps - whether managed or unmanaged.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy
Smashing Security isn’t your typical tech podcast. Hosted by cybersecurity veteran Graham Cluley, it serves up weekly tales of cybercrime, hacking horror stories, privacy blunders, and tech mishaps - all with sharp insight, a sense of humour, and zero tolerance for tech waffle.Winner of the best and most entertaining cybersecurity podcast awards in 2018, 2019, 2022, 2023, and 2024, Smashing Security has had over ten million downloads. Past guests include Garry Kasparov, Mikko Hyppönen, and Jack Rhysider. Follow the podcast on Bluesky at @smashingsecurity.com, and subscribe for free in your favourite podcast app.New episodes released at 7pm EST every Wednesday (midnight UK).
UK