SMASHING SECURITY PLUS

Get early access to the show and listen ad-free

$6.99/month or $49.99/year

Smashing Security

Graham Cluley

Stories from the world of hacking, cybersecurity, and rogue AI. Smashing Security isn’t your typical tech podcast. Hosted by cybersecurity keynote speaker and industry veteran Graham Cluley, it serves up weekly tales of cybercrime, hacking horror stories, privacy blunders, and tech mishaps - all with sharp insight, a sense of humour, and zero tolerance for tech waffle. Winner of the best and most entertaining cybersecurity podcast awards in 2018, 2019, 2022, 2023, and 2024, Smashing Security has had over ten million downloads. Past guests include Garry Kasparov, Mikko Hyppönen, and Jack Rhysider. Follow the podcast on Bluesky at @smashingsecurity.com, and subscribe for free in your favourite podcast app. New episodes released at 7pm EST every Wednesday (midnight UK).

  1. 2d ago • Subscribers Only

    AI gets hacked, and BitLocker gets bypassed

    This is a special early-access, ad-free edition of the "Smashing Security" podcast for subscribers to Smashing Security PLUS. What if your AI coding assistant could be tricked into stealing your own company's secrets - by reading a single booby-trapped bug report? No phishing email. No malware. No password ever stolen. Just an AI doing exactly what it was told. Meanwhile, someone themselves Nightmare Eclipse has decided to teach Microsoft a lesson. The result? Three zero-days dropped on the internet, one of which lets a thief with a USB stick walk straight past BitLocker. Microsoft is furious. Plus don't miss our featured interview with Son Nguyen Kim of Proton Pass, who explains why plugging AI agents into your email and calendar without thinking twice is rather like hiring a new employee with the keys to everything - and skipping the background check. All this and more in episode 472 of the "Smashing Security" podcast with cybersecurity expert and keynote speaker Graham Cluley, and special guest Paul Ducklin. *EPISODE LINKS:* - ShinyHunters claims 61M Sysco records https://cybernews.com/news/sysco-shinyhunters-61-million-salesforce-records/ - Cybernews. - Derbyshire police officer under investigation for using AI to create evidence https://www.derbyshiretimes.co.uk/news/crime/derbyshire-police-officer-under-investigation-for-using-ai-to-create-evidence-8691004 - Derbyshire Times. - Maine forced to take down data breach portal after fake notices filed with authorities https://www.bitdefender.com/en-us/blog/hotforsecurity/maine-take-down-data-breach-portal - Hot for Security. - A Fake Bug Report Hijacks Your AI Coding Agent - and Nothing Catches It. https://tenetsecurity.ai/blog/agentjacking-coding-agents-with-fake-sentry-errors/ - Tenet Security. - Agentjacking: a fake bug report hijacks AI coding agents https://thenextweb.com/news/agentjacking-ai-coding-agents-sentry - TNW. - When anti-virus goes rogue - A trifecta of Defender zero-days https://solcyber.com/when-anti-virus-goes-rogue-a-trifecta-of-defender-zero-days/ - SolCyber. - BitLocker in crisis? The "YellowKey" zero-day in plain English https://solcyber.com/bitlocker-in-crisis-the-yellowkey-zero-day-in-plain-english/ - SolCyber. - Microsoft versus Full Disclosure: The ongoing Nightmare Eclipse saga https://solcyber.com/microsoft-versus-full-disclosure-the-ongoing-nightmare-eclipse-saga/ - SolCyber. - BitLocker, Defender, zero-days, and bragging rights: More MS nightmares https://solcyber.com/bitlocker-defender-zero-days-and-bragging-rights-more-ms-nightmares/ - SolCyber. - Inside the FBI’s Kinetic Cyber Range https://www.fbi.gov/news/stories/inside-the-fbis-kinetic-cyber-range - FBI. - Inside the FBI's Kinetic Cyber Range https://www.youtube.com/watch?v=a8UMAc_8L5c - YouTube. - Computer worm strikes International Space Station https://grahamcluley.com/computer-worm-strikes-international-space-station/ - Graham Cluley. - Raspberry Pi Zero W https://www.raspberrypi.com/products/raspberry-pi-zero-w/ - Raspberry Pi. - There’s still life in old technology. - Smashing Security merchandise (t-shirts, mugs, stickers and stuff) https://www.smashingsecurity.com/store/ SUPPORT THE SHOW: Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser. FOLLOW US: Follow us on Bluesky at @smashingsecurity.com, or Mastodon, or on the Smashing Security subreddit, and visit our website for more information. THANKS: Theme tune: "Vinyl Memories" by Mikael Manvelyan. Assorted sound effects: AudioBlocks.

    1h 8m
  2. This AI worm just rewrote its own rules

    Jun 10

    This AI worm just rewrote its own rules

    Researchers at the University of Toronto have built a worm that thinks for itself. Using free off-the-shelf AI models it works out how to break into each new computer it encounters, and hijacks the powerful ones to host its own AI brain. And then the researchers discovered their creation had quietly removed the list of machines it wasn't supposed to attack. Meanwhile, Meta's shiny new AI customer support agent has been cheerfully helping hackers help themselves to other people's Instagram accounts. Just keep asking, politely but firmly, to have a password reset sent to a different email address - and the AI will eventually agree. All this and more in episode 471 of the "Smashing Security" podcast with cybersecurity expert and keynote speaker Graham Cluley, and special guest James Ball. EPISODE LINKS: Emmys data leak: update exposes access to award submissions - Cybernews.A $1,000 AI agent found 21 zero-days in FFmpeg, some 23 years old - Martin Cid Magazine.Hackers steal $1.7M condom shipment​ - Cybernews.AI Agents Enable Adaptive Computer Worms - ArXiv.21 Zero-Days in FFmpeg - Depthfirst.Meta confirms thousands of Instagram accounts were hacked by abusing its AI chatbot - ~this week in security~.Hackers trick Meta AI support bot to infiltrate Obama White House Instagram account - The Guardian.Look-In Star Portrait Challenge - Monkeon.Final Fantasy VII Remake - Square Enix.Smashing Security merchandise (t-shirts, mugs, stickers and stuff) SPONSORS: Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!XBOW - The autonomous offensive security platform that helps security teams scale. Start a pentest today.OPSWAT - Read Benny Czarny's book, "Cybersecurity Upside Down", to rethink how you protect your organization from file-based threats, including those powered by AI. SUPPORT THE SHOW: Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser. Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed! FOLLOW THE SHOW: Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes. THANKS: Theme tune: "Vinyl Memories" by Mikael Manvelyan. Assorted sound effects: AudioBlocks. Privacy & Opt-Out: https://redcircle.com/privacy

    46 min
  3. This AI security flaw might be impossible to fix

    Jun 3

    This AI security flaw might be impossible to fix

    A website called "UK visa portal" has been quietly collecting passport scans, selfies, and personal data from thousands of travellers who thought they were applying through official channels. They weren't. And when a journalist tried to warn the company, it was lawyers who responded. Meanwhile, a paper from Cornell suggests that prompt injection - the technique malicious actors use to trick AI agents into doing things they really shouldn't - may be fundamentally unsolvable. Which is err... awkward, because everyone is rushing to plug AI agents into their email, files, and corporate networks. Plus don't miss our featured interview with Andrea Sivieri of CoreView, who tells us how hackers can lock your entire organisation out of its Microsoft 365 environment... without having to trick you into running a single piece of malicious code or handing over a password. All this and more in episode 470 of the "Smashing Security" podcast with cybersecurity expert and keynote speaker Graham Cluley, and special guest Tanya Janca. EPISODE LINKS: Hackers Simply Asked Meta AI to Give Them Access to High-Profile Instagram Accounts. It Worked - 404 Media.Canon Printer Vulnerability Leaks Plaintext Credentials - Praetorian.Password manager Dashlane says hackers stole some customers' password vaults - TechCrunch.UK Visa Portal exposed thousands of applicants’ passports and selfies — then called the lawyers on us - TechCrunch.AI Agents May Always Fall for Prompt Injections - ArXiv.MCP Security Crisis: Systemic Design Flaws in AI Agent Infrastructure - Cloud Security Alliance.From Preventive to Reactive: How AI Coding Assistants Transform Developers' Security Awareness - ArXiv.Design details that feel like magic - Design Spells.Singing lessons.Smashing Security merchandise (t-shirts, mugs, stickers and stuff) SPONSORS: Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!CoreView - How secure is your Microsoft 365 tenant? Find out with CoreView's free Microsoft 365 Tenant Security Scanner.ESET - 30 years of threat research behind unique global telemetry, AI-native technology, and human expertise working together to keep your business protected. SUPPORT THE SHOW: Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser. Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed! FOLLOW THE SHOW: Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes. THANKS: Theme tune: "Vinyl Memories" by Mikael Manvelyan. Assorted sound effects: AudioBlocks. Privacy & Opt-Out: https://redcircle.com/privacy

    58 min
  4. What your Oura ring won't tell you

    May 27

    What your Oura ring won't tell you

    CISA, the US government agency whose entire job is keeping America's critical infrastructure safe from hackers, has had a contractor publish dozens of plain-text credentials to a public GitHub profile. Meanwhile, your Oura ring is quietly transmitting some of its data unencrypted - and when one journalist asked the company how often it hands user data to law enforcement, the answer was quite telling. Plus don't miss our featured interview with OPSWAT's Benny Czarny about his new book "Cybersecurity Upside Down." All this and more in episode 469 of the "Smashing Security" podcast with cybersecurity expert and keynote speaker Graham Cluley, and special guest Lesley Carhart. EPISODE LINKS: Canadian man arrested by international authorities, charged with administrating KimWolf DDoS botnet - US Dept of Justice.700+ education and tech websites hijacked in huge ClickFix malware campaign - Malwarebytes.Leaked Documents Reveal Russian ‘Cognitive Strikes’ Against the West - Including Islamophobic ‘Pig Head’ Attacks in Paris - OCCRP.Lawmakers Demand Answers as CISA Tries to Contain Data Leak - Krebs On Security.US cybersecurity agency CISA reportedly in dire shape amid Trump cuts and layoffs - TechCrunch.Oura says it gets government demands for user data. Will it share how many? - This Week In Security.Privacy and transparency of fitness tracking devices - Whyli.Upfest - Europe’s largest street-art festival.Magnets Are Bad For Hardware Again - Hackaday.Smashing Security merchandise (t-shirts, mugs, stickers and stuff) SPONSORS: Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!XBOW - The autonomous offensive security platform that helps security teams scale. Start a pentest today.OPSWAT - Read Benny Czarny's book, "Cybersecurity Upside Down", to rethink how you protect your organization from file-based threats, including those powered by AI. SUPPORT THE SHOW: Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser. Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed! FOLLOW THE SHOW: Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes. THANKS: Theme tune: "Vinyl Memories" by Mikael Manvelyan. Assorted sound effects: AudioBlocks. Privacy & Opt-Out: https://redcircle.com/privacy

    53 min
  5. High-speed train hacks and homicidal lawnmowers

    May 20

    High-speed train hacks and homicidal lawnmowers

    A 23-year-old radio enthusiast spent £300 on a piece of kit from the internet, and used it to bring four packed high-speed trains to a screeching halt. His defence in court? Possibly the most creative excuse we've heard all year. Meanwhile, owners of $4,000 robot lawnmowers are discovering that their gadget can be hijacked over the internet, redirected at journalists who foolishly lie down in front of it, and used to harvest Wi-Fi passwords, email addresses, and GPS coordinates. Change the default password? Sure - until the next firmware update silently resets it back. Plus - don't miss our featured interview with XBOW's Brendan Dolan-Gavitt about how AI is transforming penetration testing. All this and more in episode 468 of the "Smashing Security" podcast with cybersecurity expert and keynote speaker Graham Cluley, and special guest Geoff White. EPISODE LINKS: Open source tool maker Grafana Labs says hackers stole its code, refuses to pay ransom - TechCrunch.Man accused of stealing Beyoncé’s unreleased music takes guilty plea - ABC News.Shai-Hulud code drop: Open season for supply chain attacks- ReversingLabs.Student hacked Taiwan high-speed rail to trigger emergency brakes - BleepingComputer.Polish teen derails tram after hacking train network - The Register.The Cheap Radio Hack That Disrupted Poland's Railway System - WIRED.The man with an army of Yarbo robot lawn mowers - The Verge.Ever been run over by a robot? I have - for science! - TikTok.RD280UA 28” WQXGA BenQ Programming Monitor with Backlight and Flexible Arm - BenQ.Kai Shun DM-0708 combination sharpening stone, grain 300/1000 - Knives and Tools.AI-Assisted ICS Attack on a Water Utility - Dragos.Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access - Google Cloud Blog.Smashing Security merchandise (t-shirts, mugs, stickers and stuff) SPONSORS: Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!XBOW - The autonomous offensive security platform that helps security teams scale. Start a pentest today.OPSWAT - Read Benny Czarny's book, "Cybersecurity Upside Down", to rethink how you protect your organization from file-based threats, including those powered by AI. SUPPORT THE SHOW: Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser. Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed! FOLLOW THE SHOW: Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes. THANKS: Theme tune: "Vinyl Memories" by Mikael Manvelyan. Assorted sound effects: AudioBlocks. Privacy & Opt-Out: https://redcircle.com/privacy

    56 min
  6. How ShinyHunters hacked the world's biggest universities

    May 13

    How ShinyHunters hacked the world's biggest universities

    Welcome to the largest educational data breach in history - affecting nearly 9,000 institutions, every Ivy League university, and 30 million students mid-finals. When Canvas's parent company refused to pay and announced they had deployed "security patches" instead, the hackers were less than impressed. So they came back through the cat flap. Meanwhile, a famous finance expert's face has been showing up on Facebook adverts promising hot stock tips and exclusive WhatsApp investment groups. Spoiler: it isn't him, the tips aren't real, and you're about to be scammed. Plus we chat to Mike Nichols of Elastic, about how the SOC isn't dying, attackers and defenders are both deploying AI agents, and how the real security crisis is no longer human users - it's the bots acting on their behalf. All this and more in episode 467 of the "Smashing Security" podcast with cybersecurity expert and keynote speaker Graham Cluley, and special guest Danny Palmer. EPISODE LINKS: ICO fines South Staffordshire £963K over 2022 breach - The Register.US bank reports itself after AI customer data mishap - The Register.Hackers abuse Google ads, Claude.ai chats to push Mac malware - Bleeping Computer.Canvas hack: What we know about apparent cyberattack that impacted thousands of schools - CNN.Canvas hack: Company pays criminals to delete students' stolen data - BBC News.Post by @amosmagliocco.bsky.social - Bluesky.Post by @sethcotlar.bsky.social - Bluesky.The Architecture of Deception: How a $187 Million Fraud Ecosystem Exploits Trust Across Australia and the United States - Group IB.The Fake Nobel that Duped the Romanian Academy - Scena9.A (Very) Short History of Life On Earth by Henry Gee - Waterstones.Smashing Security merchandise (t-shirts, mugs, stickers and stuff) SPONSORS: Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Elastic – AI is transforming security operations, but security is still a data problem. Learn how context-rich data drives faster, more reliable defence.CoreView - How secure is your Microsoft 365 tenant? Find out with CoreView's free Microsoft 365 Tenant Security Scanner. SUPPORT THE SHOW: Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser. Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed! FOLLOW THE SHOW: Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes. THANKS: Theme tune: "Vinyl Memories" by Mikael Manvelyan. Assorted sound effects: AudioBlocks. Privacy & Opt-Out: https://redcircle.com/privacy

    1h 4m
  7. Meta sees everything, Copy Fail, and a deepfake gets hired

    May 6

    Meta sees everything, Copy Fail, and a deepfake gets hired

    Meta's smart glasses promise privacy "designed for you" - but everything they record was being beamed off to workers in Nairobi to label by hand. When those workers blew the whistle, Meta sacked all 1,108 of them. Meanwhile, the IT press is in a frenzy over a new Linux bug called "Copy Fail" - complete with logo, dedicated website, and a marketing-friendly name. But is it really the disaster everyone's making it out to be? And in our featured interview, Jake Moore of ESET explains how he tricked a company into offering his deepfake clone a job - after a perfectly normal-looking video interview. All this and more in episode 466 of the "Smashing Security" podcast with cybersecurity expert and keynote speaker Graham Cluley, joined this week by special guest Paul Ducklin. EPISODE LINKS: Anti-DDoS Firm Heaped Attacks on Brazilian ISPs - Krebs On Security.Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha - Bleeping Computer.Trellix confirms data breach after hack of 'a portion' of its source code - TechRadar.Meta’s AI Smart Glasses and Data Privacy Concerns: Workers Say “We See Everything” - Svd.Dispute over fate of Kenyan workers who saw Meta AI glasses films - BBC News.Copy Fail - CVE-2026-31431.Copy Fail: Hype versus reality - the full story - SolCyber.Flight into Danger: The Original Airplane! - BBC Sounds.The Luton writer behind the original Airplane! - BBC News.Code Dependent by Madhumita Murgia - Pan Macmillan.The Code Book - Simon Singh.Smashing Security merchandise (t-shirts, mugs, stickers and stuff) SPONSORS: Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!ESET - 30 years of threat research behind unique global telemetry, AI-native technology, and human expertise working together to keep your business protected.Action1 - Keep your systems safe (and your sanity intact) with the patch management platform that just works. The best part? Your first 200 endpoints are free, forever, with no functional limits. SUPPORT THE SHOW: Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser. Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed! FOLLOW THE SHOW: Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes. THANKS: Theme tune: "Vinyl Memories" by Mikael Manvelyan. Assorted sound effects: AudioBlocks. Privacy & Opt-Out: https://redcircle.com/privacy

    1h 3m
  8. This developer wanted to cheat at Roblox. It cost millions

    Apr 29

    This developer wanted to cheat at Roblox. It cost millions

    A developer at an AI startup wanted to cheat at Roblox. They downloaded a dodgy script on their work laptop. That one decision triggered a cascade of failures that ended with a $2 million data breach affecting hundreds of thousands of organisations. All for some free in-game currency. Meanwhile, there's a 1980s phone protocol called SS7 that lets shadowy surveillance companies track anyone, anywhere, via their mobile phone. Governments know about it. Telecoms know about it. Nobody's fixing it. All this and more in episode 465 of the "Smashing Security" podcast with cybersecurity keynote speaker and industry veteran Graham Cluley, joined this week by special guest James Ball. Plus! Don't miss our featured interview with Rob Edmondson of CoreView, discussing how to lock down Microsoft 365 before it's too late. EPISODE LINKS: Burglar alarm biz gets burgled, ShinyHunters pursues ransom - The Register.Ransomware negotiator pleads guilty after leaking victims' insurance details to 'BlackCat' hackers - Tom’s Hardware.Grok tells researchers pretending to be delusional ‘drive an iron nail through the mirror while reciting Psalm 91 backwards’ - The Guardian.Vercel April 2026 security incident - Vercel.App host Vercel says it was hacked and customer data stolen - TechCrunch.Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials - Hacker News.Sorry for the Nazi spam from my Twitter account - Graham Cluley.Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors - Citizen Lab.Surveillance vendors caught abusing access to telcos to track people's phone locations, researchers say - TechCrunch.The rapid rise of phone surveillance firms - The Bureau of Investigative Journalism.Please shut up about your Spotify Wrapped - The New World.Think For Yourself - Beatles Song Identification Game.Nodes: Free Connection Puzzle & Vertex Game Alternative.Smashing Security merchandise (t-shirts, mugs, stickers and stuff) SPONSORS: Elastic – AI is transforming security operations, but security is still a data problem. Learn how context-rich data drives faster, more reliable defence.Vanta - Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!Coreview - Download "Total Tenant Takeover", a white paper about the Microsoft 365 Disaster No One Is Ready For. SUPPORT THE SHOW: Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser. Become a supporter! Join Smashing Security PLUS via Patreon or Apple Podcasts for ad-free episodes on our early-release feed! FOLLOW THE SHOW: Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes. THANKS: Theme tune: "Vinyl Memories" by Mikael Manvelyan. Assorted sound effects: AudioBlocks. Privacy & Opt-Out: https://redcircle.com/privacy

    1h 5m
See All (484)

Trailer

Hosts & Guests

4.8
out of 5
53 Ratings

About

Stories from the world of hacking, cybersecurity, and rogue AI. Smashing Security isn’t your typical tech podcast. Hosted by cybersecurity keynote speaker and industry veteran Graham Cluley, it serves up weekly tales of cybercrime, hacking horror stories, privacy blunders, and tech mishaps - all with sharp insight, a sense of humour, and zero tolerance for tech waffle. Winner of the best and most entertaining cybersecurity podcast awards in 2018, 2019, 2022, 2023, and 2024, Smashing Security has had over ten million downloads. Past guests include Garry Kasparov, Mikko Hyppönen, and Jack Rhysider. Follow the podcast on Bluesky at @smashingsecurity.com, and subscribe for free in your favourite podcast app. New episodes released at 7pm EST every Wednesday (midnight UK).

Information

  • Creator
    Graham Cluley
  • Years Active
    2017 - 2026
  • Episodes
    484
  • Rating
    Clean
  • Copyright
    © Graham Cluley
  • Show Website
    Smashing Security
  • Provider
    Graham Cluley

You Might Also Like