On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news:
British retail stalwart Marks & Spencer gets cybered
South Korean telco sets out to replace all its subscriber SIMs after (we assume) it lost the keymat
It’s a good exploit week! Bugs in Apple Airplay, SAP webservers, Erlang SSH and CommVault backups
Juice jacking! No, really! Some researchers actually did it (so still not in the wild, then)
Anti-DOGE whistleblower sure sounds like he has a pointThis week’s episode is sponsored by Knocknoc, who let you glue your firewalls to your single sign on. Knocknoc’s CEO Adam Pointon talks about the joy that having end-to-end IPv6 would bring for zero-trust access control. He also touches on people using Knocknoc inside their network to isolate critical systems.
Editors Note : Pat also gives Adam (Boileau) stick in the sponsor interview about the Risky Biz webserver not having IPv6 enabled, which fact-checking during the edit says is FAKE NEWS. Just uh, don’t look at how fresh that AAAA record in the DNS is, friends 😉
This episode is also available on Youtube.
Show notes
British retailer M&S confirms being hit by ‘cyber incident’ amid store delays | The Record from Recorded Future News
M&S cyber-attack linked to hacking group Scattered Spider | Marks & Spencer | The Guardian
Bina Puri shares, Warrant B close sharply lower day after hacking
Bina Puri, Pos Malaysia tumble following hacking incident | FMT
Japan warns of hundreds of millions of dollars in unauthorized trades from hacked accounts | The Record from Recorded Future News
US conducts cyberattacks against major Chinese commercial encryption provider: report - Global Times
Iran says major cyberattack on infrastructure repelled | Iran International
Spain rules out cyber attack - but what could have caused power cut?
South Korea's SK Telecom begins SIM card replacement after data breach
AirBorne: Wormable Zero-Click RCE in Apple AirPlay Puts Billions of Devices at Risk | Oligo Security | Oligo Security
iOS and Android juice jacking defenses have been trivial to bypass for years - Ars Technica
How Android 16's new security mode will stop USB-based attacks - Android Authority
Researchers warn of critical flaw found in Erlang OTP SSH | Cybersecurity Dive
Critical vulnerability in SAP NetWeaver under threat of active exploitation | Cybersecurity Dive
CVE-2025-31324: Critical SAP Flaw Explained | Strobes
Fire In The Hole, We’re Breaching The Vault - Commvault Remote Code Execution (CVE-2025-34028)
Risky Bulletin: NFC card malware keeps evolving in Russia, a bad omen for the future - Risky Business Media
Hegseth had unsecured internet line in Pentagon for Signal, sources say | AP News
Whistleblower: DOGE Siphoned NLRB Case Data – Krebs on Security
2025_0414_Berulis-Disclosure-with-Exhibits.s.pdf
CISA gets a deputy director as it braces for major layoffs | Cybersecurity Dive
Two top cyber officials resign from CISA | The Record from Recorded Future News
Ex-CISA chief Chris Krebs leaving SentinelOne following Trump pressure | Reuters
Former cyber official targeted by Trump speaks out after cuts to digital defense
Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today's Adversaries | SentinelOne
ZachXBT on X: "Nine hours ago a suspicious transfer was made from a potential victim for 3520 BTC ($330.7M)"