Smashing Security

In episode 459 of Smashing Security, we dive into a chillingly clever account takeover attempt targeting WordPress co-founder Matt Mullenweg - involving MFA fatigue, real Apple alerts, a convincing support call, and a phishing page that oh-so-nearly worked. If a famous techie could have this happen to you, can you be sure you're immune?
Plus: would you donate your lifetime medical history to science if you were promised anonymity? We unpack serious concerns around UK Biobank, where “de-identified” data may not be as anonymous as you think — and how surprisingly little information it takes to reveal everything.
And! Human-powered “AI”, and a punishment worse than prison: eight hours on the RSA expo floor...
All this, and much more, in episode 459 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and special guest Paul Ducklin.

EPISODE LINKS:

DOGE employee stole Social Security data and put it on a thumb drive, report says - TechCrunch.
Foreign hacker in 2023 compromised Epstein files held by FBI, source and documents show - Reuters.
New font-rendering trick hides malicious commands from AI tools - Bleeping Computer.
Lockdown Mode - Apple support.
Gone (Almost) Phishin’ - Matt Mullenweg.
Listen to the Live Scam Call Targeting Matt Mullenweg’s Apple Account - YouTube.
Confidential health records from UK BioBank project exposed online - The Guardian.
A message from Professor Sir Rory Collins, Chief Executive and Principal Investigator of UK Biobank - UK BioBank.
Psychotherapy data breach blackmailer sent to prison - Paul Ducklin.
Your AI slop bores me.
Post by Vaughan Shanks - LinkedIn.
Judge Sentences CISO to 8 Consecutive Hours on RSA Expo Floor as Formal Punishment for Security Breach - The Exploit.
Smashing Security merchandise (t-shirts, mugs, stickers and stuff)

SPONSORS:
Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
Adaptive Security - request a custom demo featuring a real CEO deepfake simulation.
Meter - Network infrastructure for the enterprise. Get a free personalised demo.

SUPPORT THE SHOW:
Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.
Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!

FOLLOW THE SHOW:
Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.

Privacy & Opt-Out: https://redcircle.com/privacy

A Wikipedia security engineer accidentally wakes a dormant JavaScript worm that hadn't stirred since 2024 - and within minutes, giant woodpecker images are plastered across the internet's favourite encyclopaedia.
Meanwhile, a crypto contractor hired to help the US Marshals manage seized digital assets allegedly decides to help himself to $46 million of it - and then brags about it on a recorded Telegram call.
Plus: Graham champions Asterix, Trisha discovers the fantasy novels of Robin Hobb, and someone called "Lick" ends up in the nick.
All this, and much more, in episode 458 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and special guest Tricia Howard.

EPISODE LINKS:

Major data leak forum dismantled in global action against cybercrime forum - Europol.
Ericsson blames vendor vishing slip-up for breach exposing thousands of records - The Register.
How hackers bypassed MFA with a $120 phishing kit – until law enforcement  shut them down - Hot for Security.
Wikipedia hit by self-propagating JavaScript worm that vandalized pages - Bleeping Computer.
FBI arrests crypto thief accused of stealing $46 million from seized government wallet - Tom’s Hardware.
Twitter thread by ZachXBT about John Daghita’s arrest - Twitter.
Asterix - Wikipedia.
Robin Hobb.
The Complete Farseer trilogy - Harper Collins.
Smashing Security merchandise (t-shirts, mugs, stickers and stuff)

SPONSORS:
Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
ThreatLocker - Start your free trial and book a demo of ThreatLocker today to see how you can implement Zero Trust in your environment.
Meter - Network infrastructure for the enterprise. Get a free personalised demo.

SUPPORT THE SHOW:
Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.
Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!

FOLLOW THE SHOW:
Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.

Privacy & Opt-Out: https://redcircle.com/privacy

When a top cybersecurity firm discovered it had a leak, you would expect the FBI to be called. Instead, the person put in charge of the investigation was the actual leaker... who promptly sent an innocent colleague into a career-ending ambush.
In this episode, we unravel the jaw-dropping tale of a defence contractor caught selling zero-day exploits to a Russia-linked broker.
Plus: are nation states quietly poisoning AI models to bend reality itself? We explore how “foreign information manipulation interference” could target not just social media users, but the large language models we increasingly trust for answers — and what that might mean for truth, trust, and the future of online influence.
All this, and much more, in episode 457 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and special guest Carl Miller.

EPISODE LINKS:
Large-Scale Online Deanonymization with LLMs - Simon Lermen.
Hacked Prayer App Sends ‘Surrender’ Messages to Iranians Amid Israeli and US Strikes - Wired.
“Stay safe out there gamers”: Streamers say Amazon just made Wishlists a doxxing risk - Daily Dot.
Apple alerts exploit developer that his iPhone was targeted with government spyware - TechCrunch.
Former General Manager for U.S. Defense Contractor Sentenced to 87 Months for Selling Stolen Trade Secrets to Russian Broker - US Department of Justice.
Treasury Sanctions Exploit Broker Network for Theft and Sale of U.S. Government Cyber Tools - US Department of Treasury.
Inside the story of the US defense contractor who leaked hacking tools to Russia - TechCrunch.
​​Hundreds of English-language websites link to pro-Kremlin propaganda - Guardian.
The Incredible Shrinking Man - Internet Archive.
“The Immortalists” by Aleks Kortoski - Penguin Books.
Smashing Security merchandise (t-shirts, mugs, stickers and stuff)

SPONSORS:
Action1 - Keep your systems safe (and your sanity intact) with the patch management platform that just works. The best part? Your first 200 endpoints are free, forever, with no functional limits.
Meter - Network infrastructure for the enterprise. Get a free personalised demo.
Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!

SUPPORT THE SHOW:
Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.
Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!

FOLLOW THE SHOW:
Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.

Privacy & Opt-Out: https://redcircle.com/privacy

When the mysterious operator of an internet archiving-service decided to silence a curious Finnish blogger, they didn’t just send a stroppy email - they allegedly weaponised their own CAPTCHA page to launch a DDoS attack, threatened to invent an entirely new genre of AI porn, and tampered with parts of their own archive to smear the blogger's name.
In this episode, we unravel how a website designed to preserve history may have trashed its own credibility - and how Wikipedia responded when trust went out the window.
Plus a ransomware gang shoots itself in the foot with a classic case of buffoonery, accidentally corrupting the very keys victims would need to decrypt their data. When even the criminals can’t unlock your files, what happens next?
All this, a surprisingly zen Pick of the Week, and a gloriously splenetic rant against web forms, on episode 456 of the award-winning "Smashing Security" podcast, with cybersecurity veteran Graham Cluley and special guest Paul Ducklin.
EPISODE LINKS:

This App Will Detect People Wearing Smart Glasses Near You - Lifehacker.
Patients listed as dead after major NZ health app MediMap hacked - 1News.
Why fake AI videos of UK urban decline are taking over social media - BBC News.
FBI orders domain registrar to reveal who runs mysterious Archive.is site - Ars Technica.
Archive.today CAPTCHA page executes DDoS; Wikipedia considers banning site - Ars Technica.
Archive.today is directing a DDOS attack against my blog - Gyrovague.
Critical buffer overflow bug - in ESXi ransomware - SolCyber.
Yoga with Adriene - YouTube.
Smashing Security merchandise (t-shirts, mugs, stickers and stuff)

SPONSORS:
Coreview - Download "Total Tenant Takeover", a white paper about the Microsoft 365 Disaster No One Is Ready For.
Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
ThreatLocker - Start your free trial and book a demo of ThreatLocker today to see how you can implement Zero Trust in your environment.

SUPPORT THE SHOW:
Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.
Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!

FOLLOW THE SHOW:
Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.

Privacy & Opt-Out: https://redcircle.com/privacy

Could America turn off Europe's internet?
That’s one of the questions that Graham and special guest James Ball will be exploring as they discuss tech sovereignty. Could Gmail, cloud services, and critical infrastructure really become geopolitical leverage? And is anyone actually building a Plan B?
Plus we explore if Meta is quietly plotting to turn its smart glasses into face-recognising surveillance specs? With reports of internal memos suggesting they plan to launch controversial features while everyone’s distracted by political chaos, we ask: is this innovation really wanted by the public... or something far creepier?
All of this, and much more, in episode 455 of the award-winning "Smashing Security" podcast with cybersecurity veteran Graham Cluley, joined this week by journalist and author James Ball.

EPISODE LINKS:

IcedID malware developer fakes his own death to escape the FBI - Risky Business.
Sex toys maker Tenga says hacker stole customer information - TechCrunch.
Dutch police arrest man for "hacking" after accidentally sending him confidential files - Hot for Security.
Meta Plans to Add Facial Recognition Technology to Its Smart Glasses - New York Times.
Trading Sovereignty for Scale? The Costs of the US - UK Tech Prosperity Deal - Just Security.
Just Mercy - Wikipedia.
Just Mercy trailer - YouTube.
Bryan Stevenson’s TED talk: We need to talk about an injustice - YouTube.
The Residence - Netflix.
Smashing Security merchandise (t-shirts, mugs, stickers and stuff)

SPONSORS:
Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
Passwork - a reliable secrets manager and password management solution.
Adaptive Security - request a custom demo featuring a real CEO deepfake simulation.

SUPPORT THE SHOW:
Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.
Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!

FOLLOW THE SHOW:
Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.

Privacy & Opt-Out: https://redcircle.com/privacy