Episodes

  • The Kindle that got pwned

    The Kindle that got pwned
    Dec 18 2025

    Think your Kindle is harmless? Think again! In this episode, Graham and special guest Danny Palmer unpack a Black Hat Europe talk revealing how a boobytrapped audiobook could exploit the Amazon eBook reader - potentially letting an attacker break into your account and seize control of your credit card.

    Plus a blast from 2021's "summer of ransomware" returns to haunt Ireland's Health Service Executive, as victims are offered €750 each.

    And because it's the last show before the Christmas break, there's also a Pick of the Week that veers from cosy rom-com comfort to pointy-polygon nostalgia.

    All this, and more, in episode 448 of the "Smashing Security" podcast with Graham Cluley, and special guest Danny Palmer.

    🎅 🎄 Thanks to everyone for listening to "Smashing Security" during 2025 - we look forward to being back in your ear'oles in early January. Stay safe! 🎅 🎄


    EPISODE LINKS:


    • Password manager provider fined £1.2m by ICO for data breach affecting up to 1.6 million people in the UK - ICO.
    • Trump Administration Turning to Private Firms in Cyber Offensive - Bloomberg.
    • Russian ban on Roblox gaming platform sparks rare protest - Reuters.
    • Once upon an exploit: how fake audiobook led to Kindle takeover - Cybernews.
    • Four years later, Irish health service offers €750 to victims of ransomware attack - Bitdefender.
    • When Harry Met Sally - Wikipedia.
    • When Harry Met Sally trailer - YouTube.
    • Tomb Raider 1-3 Remastered review - you were never going to smooth these games out - Eurogamer.
    • Smashing Security merchandise (t-shirts, mugs, stickers and stuff)


    SPONSORS:

    • Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
    • ThreatLocker - Start your free trial and book a demo of ThreatLocker today to see how you can implement Zero Trust in your environment.


    SUPPORT THE SHOW:

    Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.

    Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!


    FOLLOW THE SHOW:

    Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.


    THANKS:

    Theme tune: "Vinyl Memories" by Mikael Manvelyan.

    Assorted sound effects: AudioBlocks.


    ENJOYED THE SHOW?

    Make sure to check out our sister podcast, "The AI Fix".




    Privacy & Opt-Out: https://redcircle.com/privacy
    Show More Show Less
    37 mins
  • Grok the stalker, the Louvre heist, and Microsoft 365 mayhem

    Grok the stalker, the Louvre heist, and Microsoft 365 mayhem
    Dec 11 2025
    On this week's show we learn that AI really can be a stalker’s best friend, as we explore a strange tale that starts with a manatee-shaped mailbox on a millionaire's lawn and ends with Grok happily doxxing real people, mapping out stalking "strategies," and handing out revenge-porn tips.Then we go inside the Louvre heist, where thieves in hi-vis and a hire van waltzed off with the French crown jewels in broad daylight, exploiting our assumptions about what "looks normal" - the same kind of bias we’re now baking into security AIs.Plus, Graham chats with Rob Edmondson from CoreView about why misconfigurations and over-privileged accounts can make Microsoft 365 dangerously vulnerable.All this, and more, in episode 447 of the "Smashing Security" podcast with Graham Cluley, and special guest Jenny Radcliffe.EPISODE LINKS:Khashoggi widow files complaint in France alleging Saudi government infected devices with spyware - The Record.US Posts $10 Million Bounty for Iranian Hackers - Security Week.Infostealer has entered the chat - Kaspersky.Dave Portnoy posts a photo of his lawn (including a manatee-shaped mailbox) - Twitter.Elon Musk’s Grok AI Is Doxxing Home Addresses of Everyday People - Futurism.Elon Musk’s Grok Is Providing Extremely Detailed and Creepy Instructions for Stalking - Futurism.How the Louvre thieves exploited human psychology to avoid suspicion – and what it reveals about AI - The Conversation.Outrageous (TV series) - Wikipedia.Outrageous trailer - YouTube.Man charged with theft after allegedly swallowing Fabergé pendant in jewellery store - The Guardian.Free Microsoft 365 Tenant Security Scanner - CoreView.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Horizon3.ai - Get an autonomous pentest demo and see your network the way attackers do. Visit Horizon3.ai.CoreView - Benchmark your Microsoft 365 tenant security against the Center for Internet Security (CIS) controls. SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy
    Show More Show Less
    56 mins
  • A hacker doxxes himself, and social engineering-as-a-service

    A hacker doxxes himself, and social engineering-as-a-service
    Dec 4 2025
    A teenage cybercriminal posts a smug screenshot to mock a sextortion scammer... and accidentally hands over the keys to his real-world identity. Meanwhile, we look into the crystal ball for 2026 and consider how stolen data is now the jet fuel of cybercrime – and how next year could be even nastier than 2025.Plus, Graham rants about recipe sites that won’t shut up, and there's even more love for Lily Allen's album "West End Girl" album.All this and more is discussed in episode 446 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and special guest Rik Ferguson.EPISODE LINKS:Europol nukes Cryptomixer laundering hub, seizing €25M in Bitcoin - The Register.4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign - Koi.Uncovering a Calendly-themed phishing campaign targeting business ad manager accounts - Push Security.Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’ - Krebs on Security.Jonathan Ross email goof highlights Twitter security issue - Graham Cluley.VIDEO: Mark Zuckerberg’s password choices are dadada-dumb! - Graham Cluley.Password to Louvre’s video surveillance system was 'Louvre', according to employee - ABC News.Just the Recipe.West End Girl - Wikipedia.West End Girl - Spotify.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:1Password - Take the first step to better security by securing your team’s credentials.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Drata - The world’s most advanced Trust Management platform – making risk and compliance management accessible, continuous, and 10x more automated than ever before.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy
    Show More Show Less
    45 mins
  • The hack that brought back the zombie apocalypse

    The hack that brought back the zombie apocalypse
    Nov 27 2025
    America's airwaves are haunted by zombies again, as we dig into a decade of broadcasters leaving their hardware open to attack, giving hackers the chance to hijack TV shows, blast out fake emergency alerts, and even replace religious sermons with explicit furry podcasts.Meanwhile, we look at how a worker at a cybersecurity firm allegedly leaked internal information to a hacking gang - raising big questions about insider threats.Plus: Frankenstein on Netflix, Vine nostalgia, and why Barney the Dinosaur may be the true criminal mastermind behind it all.All this and more is discussed in episode 445 of the “Smashing Security” podcast with cybersecurity veteran Graham Cluley, and special guest Dan Raywood.EPISODE LINKS:Fake adult websites pop realistic Windows Update screen to deliver stealers via ClickFix - Acronis.Tokyo Court Finds Cloudflare Liable For Manga Piracy in Long-Running Lawsuit - TorrentFreak.Former Google chief accused of spying on employees through account ‘backdoor’ - LA Times.Bogus zombie apocalypse warnings undermine US emergency alert system - Ars Technica.2013 EAS Zombie Hoax - Emergency Alert System Wiki.The 1987 Max Headroom incident - YouTube.Nation-wide radio station hack airs hours of vulgar “furry sex” ramblings - Ars Technica.ESPN 97.5 Houston Victim Of Barix Hack - Radio Insight.ESPN Houston apologises to viewers - Facebook.CrowdStrike fires ‘suspicious insider’ who passed information to hackers - TechCrunch.Frankenstein official trailer - YouTube.Frankenstein - Netflix.Vine: Six Seconds that changed the world - Global Player.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Action1 - Keep your systems safe (and your sanity intact) with the patch management platform that just works. The best part? Your first 200 endpoints are free, forever, with no functional limits.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Horizon3.ai - Get an autonomous pentest demo and see your network the way attackers do. Visit Horizon3.ai.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy
    Show More Show Less
    41 mins
  • We’re sorry. Wait, did a company actually say that?

    We’re sorry. Wait, did a company actually say that?
    Nov 20 2025
    Stop the press - a company has actually said "sorry" after a data breach, and hotels are helping hackers phish their own guests.In episode 444 of "Smashing Security" we examine a refreshingly honest breach response (and why legacy systems are still going to ruin your week), dig into a nasty hotel-booking malware campaign that abuses trust in apps and CAPTCHAs, and chat about autonomous pen testing, AI-turbocharged cybercrime, and what CISOs should really be asking on Monday morning.And lost Doctor Who is brought back to life by one very dedicated animator, and we take a look at Eddie Murphy’s career.All this and more is discussed in episode 444 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and special guest Tricia Howard.Plus - don't miss our featured interview with Snehal Antani from Horizon3.ai!EPISODE LINKS:A Simple WhatsApp Security Flaw Exposed 3.5 Billion Phone Numbers - Wired.British hacker must repay £4m after hijacking celebrity Twitter accounts - BBC News.Cloudflare experiences a massive outage - LifeHacker.Protecting our Merchants: Standing up to Extortion - Checkout.A miracle: A company says sorry after a cyber attack - and donates the ransom to cybersecurity research - Hot for Security.Large-Scale ClickFix Phishing Attacks Target Hotel Systems with PureRAT Malware - The Hacker News.Unmasking a Sophisticated Phishing Campaign That Targets Hotel Guests - Akamai.Doctor Who Animation: Daleks' Master Plan - The Nightmare Begins. Part 1 - YouTube.Doctor Who Animation: Daleks' Master Plan - The Nightmare Begins. Part 2 - YouTube.Being Eddie - Netflix.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Horizon3.ai - Get an autonomous pentest demo and see your network the way attackers do. Visit Horizon3.ai.SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy
    Show More Show Less
    55 mins
  • Tinder’s camera roll and the Buffett deepfake

    Tinder’s camera roll and the Buffett deepfake
    Nov 13 2025

    Tinder has got a plan to rummage through your camera roll, and Warren Buffett keeps popping up in convincing deepfakes dishing "number one investment tips."

    Meanwhile, will agentic AI replace your co-hosts before you can say "EDR for robots"? and why you should still read books.

    All this, plus Lily Allen's new album and Claude Code come up for discussion in episode 443 of the "Smashing Security" podcast, with special guest Ron Eddings.


    EPISODE LINKS:

    • ‘Landfall’ spyware abused zero-day to hack Samsung Galaxy phones - TechCrunch.
    • Cyber insurers paid out over twice as much for UK ransomware attacks last year - The Register.
    • Lost iPhone? Don’t fall for phishing texts saying it was found - Bleeping Computer.
    • Tinder to use AI to get to know users, tap into their Camera Roll photos - TechCrunch.
    • Facebook’s AI can now suggest edits to the photos still on your phone - TechCrunch.
    • Berkshire warns of AI deepfakes impersonating Warren Buffett - Reuters.
    • West End Girl - Wikipedia.
    • West End Girl - Spotify.
    • Claude Code.
    • Smashing Security merchandise (t-shirts, mugs, stickers and stuff)


    SPONSORS:

    • Action1 - Keep your systems safe (and your sanity intact) with the patch management platform that just works. The best part? Your first 200 endpoints are free, forever, with no functional limits.
    • Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
    • Trelica by 1Password - Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps - whether managed or unmanaged.



    SUPPORT THE SHOW:

    Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.

    Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!


    FOLLOW THE SHOW:

    Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.


    THANKS:

    Theme tune: "Vinyl Memories" by Mikael Manvelyan.

    Assorted sound effects: AudioBlocks.


    ENJOYED THE SHOW?

    Make sure to check out our sister podcast, "The AI Fix".



    Privacy & Opt-Out: https://redcircle.com/privacy
    Show More Show Less
    38 mins
  • The hack that messed with time, and rogue ransomware negotiators

    The hack that messed with time, and rogue ransomware negotiators
    Nov 6 2025

    Time itself comes under attack as a state-backed hacking gang spends two years tunnelling toward a nation’s master clock — with chaos potentially only a tick away.

    Plus when ransomware negotiators turn to the dark side, what could possibly go wrong?

    All this and more is discussed in episode 442 of the "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and special guest Dave Bittner.


    EPISODE LINKS:

    • Alleged Meduza Stealer malware admins arrested after hacking Russian org - Bleeping Computer.
    • Tap-and-Steal: The Rise of NFC Relay Malware on Mobile Devices - Zimperium.
    • Postcode Lottery's lucky dip turns into data slip as players draw each other's info - The Register.
    • Chinese Ministry of State Security MSS WeChat post - WeChat.
    • China blames US for cyber break-in, claims America is world's biggest bit burglar - The Register.
    • Chicago firm that resolves ransomware attacks had rogue workers carrying out their own hacks, FBI says - Chicago Sun Times.
    • MicroMacro: Crime City.
    • Star Wars 3.5 foot animated LED R2-D2 - Home Depot.
    • TrackaLacker.
    • Smashing Security merchandise (t-shirts, mugs, stickers and stuff)



    SPONSORS:

    • Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
    • Material - Email security that covers the full threat landscape – stopping new flavors of phishing and pretexting attacks in their tracks, while also protecting accounts and data from exploit or exposure.
    • Drata - The world’s most advanced Trust Management platform – making risk and compliance management accessible, continuous, and 10x more automated than ever before.



    SUPPORT THE SHOW:

    Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.

    Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!


    FOLLOW THE SHOW:

    Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.


    THANKS:

    Theme tune: "Vinyl Memories" by Mikael Manvelyan.

    Assorted sound effects: AudioBlocks.


    ENJOYED THE SHOW?

    Make sure to check out our sister podcast, "The AI Fix".



    Privacy & Opt-Out: https://redcircle.com/privacy
    Show More Show Less
    39 mins
  • Inside the mob's million-dollar poker hack, and a Formula 1 fumble

    Inside the mob's million-dollar poker hack, and a Formula 1 fumble
    Oct 30 2025
    Basketball stars have allegedly joined forces with the mafia to fleece high-rollers in a poker scam involving hacked shufflers, covert cameras, and an X-ray card table.Meanwhile, researchers have found they could poke around an FIA driver portal to pull up the personal details of Formula 1 megastars.Plus: Graham’s “Pick of the Week” turns CAPTCHA hell into a delightfully deranged browser game that will make you question vegetables, geometry, and your life choices, while Danny takes a trip to ancient Africa.All this and more is discussed in episode 441 of "Smashing Security" podcast with cybersecurity veteran Graham Cluley, and special guest Danny Palmer.EPISODE LINKS:Baohuo, the gray eminence. Android backdoor hijacks Telegram accounts, gaining complete control over them - Dr Web.Cyberattack on Russia’s food safety agency reportedly disrupts product shipments - The Record.Dissecting YouTube's malware distribution network - Check Point.31 Defendants, Including Members and Associates of Organized Crime Families and National Basketball Association Coach Chauncey Billups, Charged in Schemes to Rig Illegal Poker Games - US Department of Justice.How Hacked Card Shufflers Allegedly Enabled a Mob-Fueled Poker Scam That Rocked the NBA - Wired.Every Formula 1 driver on the grid just had their passport and license details leaked - but it could have been so much worse - TechRadar.I’m not a robot - Neal.fun.Can I Beat The CAPTCHA Game? - YouTube.An African History of Africa by Zeinab Badawi - Penguin.Smashing Security merchandise (t-shirts, mugs, stickers and stuff)SPONSORS:Action1 - Keep your systems safe (and your sanity intact) with the patch management platform that just works. The best part? Your first 200 endpoints are free, forever, with no functional limits.SecAlerts - SecAlerts makes your job easier by matching vulnerabilities to your software, using information as soon as it’s released. Use code SMASHING for 50% off a year subscription.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!SUPPORT THE SHOW:Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!FOLLOW THE SHOW:Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.THANKS:Theme tune: "Vinyl Memories" by Mikael Manvelyan.Assorted sound effects: AudioBlocks.ENJOYED THE SHOW?Make sure to check out our sister podcast, "The AI Fix".Privacy & Opt-Out: https://redcircle.com/privacy
    Show More Show Less
    41 mins