Security News

S3 Ep99: TikTok “attack” – was there a data breach, or not? [Audio + Text]
2022-09-08 18:21

DUCK. I'm doing very, very well, thank you, Douglas! A messy thing that is bugging people is the question of this TikTok thing.

S3 Ep98: The LastPass saga – should we stop using password managers? [Audio + Text]
2022-09-01 18:55

LastPass source code breach - do we still recommend password managers? DOUG. That's important to point out, because a lot of people, I think, who don't understand how password managers work - and I wasn't totally clear on this either as you write in the article, your local machine is doing the heavy lifting, and all the decoding is done *on your local machine*, so LastPass doesn't actually have access to any of the things you're trying to protect anyway.

S3 Ep97: Did your iPhone get pwned? How would you know? [Audio + Text]
2022-08-25 18:37

He's so famous that even his ties - he always wears a tie, beautiful coloured ties - even his ties have a Twitter feed, Doug. There are lots of things you can do, provided that: you know where you should be; you know where you want to be; and you've got some way of differentiating the good behaviour from the bad behaviour.

S3 Ep96: Zoom 0-day, AEPIC leak, Conti reward, healthcare security [Audio + Text]
2022-08-18 18:38

If you want to understand a little more about it, your Naked Security article explains it incredibly well for people that are not normally acquainted with things like APIC controllers. Do you think, Chester, that they've targeted the Conti gang because they had a little bit of dishonour among thieves, as it were?

S3 Ep95: Slack leak, Github onslaught, and post-quantum crypto [Audio + Text]
2022-08-11 18:34

If we turn back the clock to five years ago, that's when Slack started leaking hashed passwords. If you're a Slack user, I would assume that if they didn't realise they were leaking hashed passwords for five years, maybe they didn't quite enumerate the list of people affected completely either.

S3 Ep94: This sort of crypto (graphy), and the other sort of crypto (currency!) [Audio + Text]
2022-08-04 17:52

DOUG. A critical Samba bug, yet another crypto theft, and Happy SysAdmin Day. Moving on to something not so great: a memory mismanagement bug in GnuTLS. DUCK. Yes, I thought this was worth writing up on Naked Security, because when people think of open-source cryptography, they tend to think of OpenSSL. Because that's the one that everybody's heard of, and it's the one that's probably had the most publicity in recent years over bugs, because of Heartbleed.

S3 Ep93: Office security, breach costs, and leisurely patches [Audio + Text]
2022-07-28 18:47

Leisurely bug fixes all that, and more, on the Naked Security Podcast. DOUG. We talked about an Office macro security feature that people were asking for for the better part of 20 years.

S3 Ep92: Log4Shell4Ever, travel tips, and scamminess [Audio + Text]
2022-07-21 18:25

DOUG. Facebook scams, Log4Shell forever, and tips for a cybersafe summer. DOUG. OK, there you go you and I are in the full swings of summer, and we have some tips for the summertime coming up later in the show.

#S3
S3 Ep91: CodeRed, OpenSSL, Java bugs, Office macros [Audio + Text]
2022-07-14 18:47

DOUG. A brief history of Office macros, a Log4Shell style bug, two OpenSSL crypto bugs, and more. DUCK. If you have a Windows network where you can use Group Policy, for example, then as an administrator you can turn this function on to say, "As a company, we just don't want macros off the internet. We're not going to even offer you a button that you can say, Why not? Why not let the macros run?".

SEGA’s Sloppy Security Confession: Exposed AWS S3 Bucket Offers Up Steam API Access & More
2022-01-04 20:49

Gaming giant SEGA Europe recently discovered that its sensitive data was being stored in an unsecured Amazon Web Services S3 bucket during a cloud-security audit, and it's sharing the story to inspire other organizations to double-check their own systems. The laundry list of SEGA's potentially exposed data is nauseating - API keys, internal messaging systems, cloud systems, user data and more.