A

You're listening to the Cyberwire network.

B

Powered by N2K, the DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot at Thales. They know cybersecurity can be tough and you can't protect everything, but with Thales you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S Learn more at Samsung patches a critical Android zero day Microsoft resolves a Global Exchange online outage CISA reaffirms its commitment to the CVE program California passes a bill requiring web browsers to let users automatically send opt out signals Apple issues spyware attack warnings FTC opens an investigation into AI chatbots on how they protect children and teens A hacker convicted of attempting to extort more than 20,000 psychotherapy patients is free on appeal. Our guest is Dave Lewis, global advisory CISO, at 1Password discussing how security leaders can protect M and a deal value and integrity and schools face insider threats From Students Foreign September 12, 2025 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us and happy Friday. It's great to have you with us. Samsung has patched a critical zero day vulnerability that was actively exploited against its Android devices. The flaw affecting devices running Android 13 or later was reported by Meta and WhatsApp on August 13. It stems from an out of bounds write in a closed source image parsing library from QuorumSoft. Attackers could exploit it remotely to execute arbitrary code. Samsung confirmed the bug had been used in the wild, although it's unclear if attacks targeted only WhatsApp users or other messaging apps using the same library. The disclosure follows another WhatsApp patch in late August, where the company fixed a zero click bug exploited alongside an Apple zero day in sophisticated spyware campaigns. Experts urge users to update devices promptly. Microsoft has resolved a Global Exchange online outage that blocked access to emails and calendars for many users the disruption, which began early Thursday, caused login and server connection issues across Outlook teams and Hotmail. Microsoft traced the problem to a faulty software build that triggered repeated data dismounts and failovers, leading to high CPU usage and message queue backlogs. After applying configuration changes and restoring infrastructure, the company announced service recovery early Friday. Though it continues monitoring to ensure stability, CISA has reaffirmed its long term commitment to the CVE program, a critical global system for cataloging security flaws. After recent uncertainty, CISA confirmed it will fund the program through March 2026 and maintain CVE data as a free open public good. CISA outlined plans to modernize the program, expand international and multi sector participation and ensure transparent vendor neutral governance. It also aims to diversify funding and strengthen vulnerability data enrichment through initiatives like vulnrichment and Authorized Data Publisher capabilities. By incorporating community feedback and exploring automation, AI and machine learning, CISA hopes to improve the accuracy, timeliness and scalability of CVE records, ensuring defenders worldwide share a common foundation against cyber threats California lawmakers have passed a bill requiring web browsers to include a setting that lets users automatically send opt out signals, stopping third party data sharing. While the California Consumer Privacy act already grants this right, most browsers haven't provided the needed functionality. The bill now awaits governor Gavin Newsom's signature. He vetoed a broader version of it last year. If enacted, browsers must let users enable a universal opt out request. Privacy advocates say the measure makes exercising digital rights far easier for consumers. Apple has issued multiple spyware attack warnings this year, according to France's certfr, which confirmed at least four alerts sent since March. The highly targeted attacks, often using zero day exploits and requiring no user interaction, focused on journalists, activists, politicians and other high profile individuals. Notifications are delivered via email, SMS and Apple account logins. Apple urges affected users to enable lockdown mode and seek emergency help. Since 2021, Apple has sent such warnings worldwide, covering users in over 150 countries. The Federal Trade Commission has opened an investigation into AI chatbots from seven companies, including Alphabet, Meta, OpenAI, Snap, Character AI, Instagram and Xai, focusing on how they protect children and teens. A recent survey found that over 70% of teens use AI companions, with more than half engaging monthly. Experts warn these tools can provide harmful advice, ignore concerning statements and blur boundaries between fiction and reality. The FTC wants details on how companies test for risks, handle user data, monetize engagement and enforce safeguards. While some firms like Character AI and Snap have rolled out parental controls and teen specific features, critics say stronger protections are needed. Companies must respond to ftc orders by September 25th. Jumping over to Europe, we hear from our T Minus Space Daily host Maria Vermazes as the European Space Agency's Director General Josef Aschbacher delivered the opening remarks at the General assembly for Defense, Space and Cybersecurity.

C

The European Space Agency's Director General Josef Aschbacher delivered the opening remarks at the General assembly for Defense, Space and Cybersecurity. The European Parliament and the European Commission, in collaboration with esa, organized the assembly to promote dialogue between European and national decision makers and industry representatives in the context of the unprecedented challenges that the European Union is facing in an increasingly complex geopolitical situation. Josef Aschbacher pushed for a stronger alliance on space and defense.

D

But today let us be audacious and not shy away from what has been a discrete but clear driving force for space efforts, of its technology breakthroughs, of pushing the boundaries of collective will, our security and defence. And why do I say discrete? Because Europe has been shy in coming to terms with the legitimate role of cooperative space which it plays in our security and in our geo strategic independence. And it is now a fact Europe's space and defense autonomy has become one of our continent's foremost priorities, as we have just also heard very clearly from Commissioner Corbilius.

C

Aschbacher also warned that Europe is not just trailing behind its counterparts in the United States and China in terms of space based intelligence. He said that they're not playing the same game at all, at least not yet. He also pushed for European sovereignty over data collection, referring to Europe's reliance on American space data, particularly with the current conflict in Ukraine. The consensus from the assembly is that Europe will be shifting towards control of its own defense, space and cybersecurity assets, and it will certainly be interesting to see how that plays out in the coming years.

B

That's Maria Vermazes, host of the T Minus Space daily podcast. Be sure to check out T Minus wherever you get your favorite podcasts. Finnish hacker Alexandere Kivimaki, convicted of attempting to extort more than 20,000 psychotherapy patients after the Vastamo data breach, has been released from custody pending appeal. Kivimaki, arrested in France in 2023 and extradited to Finland, was sentenced to six years and three months but remains legally innocent while appealing. The 2018 hack revealed in 2020 led to mass extortion attempts against patients including children who, making it one of Europe's largest criminal privacy cases. Victims continue to suffer from leaked records described as a watershed event for Finnish society. Prosecutors link Kivimaki to the crime via server logs, cryptocurrency transactions and personal files, though he disputes the evidence. The appeals trial runs through November, with a ruling expected later this year. Coming up after the break, my conversation with Dave Lewis from 1Password we're discussing how security leaders can protect M and A deal value and integrity, and schools face insider threats from students. Stay with us. Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo. That's V A N T a dot com CYBER.

E

This episode is brought to you by Indeed. When your computer breaks, you don't wait for it to magically start working again. You fixed the problem, so why wait to hire the people your company desperately needs? Use Indeed sponsored jobs to hire top talent fast. And even better, you only pay for results. There's no need to wait. Speed up your hiring with a $75 sponsored job credit at Indeed.com podcast terms.

B

And conditions appreciate Dave Lewis is global advisory CISO at 1Password. We recently got together to discuss how security leaders can protect MA deal value and integrity.

A

Quite literally, they find themselves in the throes of chaos because usually these events are on a very tight time horizon and they have to make sure that they are getting it through as fast as they can so that they don't run the risk of missing out on the deal or having the deal fall apart for whatever reason. So there tends to be an accelerated timeline. And this really does have a significant impact on cybersecurity because not always is cybersecurity there at the beginning. I've been through a lot of deals over the years where I was brought in after the fact. Thankfully, there were other companies where I was brought in at the beginning. And for whatever reason, I was able to put an end to that deal simply because some of the issues that were highlighted at the outset really were red flags and the deal itself was in jeopardy if we were to proceed.

B

What kind of things can be revealed about an organization when you start digging into their cybersecurity posture?

A

Well, it depends on the size of the organization. For a smaller shop, if they don't have anybody that's doing security, that's a bit of a troublesome moment. There was one healthcare company that I met with a couple years back and they said that they didn't have anybody as part of their security team. What they did was they got together once a month to talk about security issues over lunch. And that was a very disturbing moment for me because they had electronic health records they had to be concerned about in the posture of their overall organization. And at that time, they were looking to fill a position for, and I quote, a ciso. And I was told that that particular position would report to the CTO and would be responsible solely for just doing patching. And I said to them, I said, that is not a CISO role. And they said, well, in our organization it is. And I said, oh, good luck to you. And that says kind of things that they will pop up. And if there's no policy set, if they have shown up in various government publications for multiple security breaches because there's mandatory reporting and things to that effect. So you have to do your background, you have to do your due diligence in order to make sure that things are on the up and up before you even consider moving to an integration phase.

B

Well, can you take us through some of the security protocols that are necessary for an M and A activity?

A

Well, first and foremost, you start off with the due diligence phase, where you're looking at the security posture assessment of that target organization, looking at third party risk management checks, you know, what is the blast radius in the event that something was to go wrong for the next stage, then the integration phase, you're looking at aligning your identity access management policies with access controls, making sure that you're tackling extended access management, and then consolidating vendor in SaaS ecosystems to reduce overlap. Because one of the problems that I find in a lot of organizations is they don't have a really good way to manage their SaaS contracts, as it were, in a coherent fashion. And then the third stage would be post deal closure of continuous monitoring of the inherited vulnerabilities because like it or not, you will inherit something from the organization you're bringing in and looking at formal audits to ensure that security baselines are in fact being met.

B

How often does it happen that a pair of companies will think that they have a great match? Here the cultures line up and then when you start digging into the security, you find that there are some serious problems.

A

Honestly, that is more often than not. And it's a troubling thing because I've experienced it in companies in the past. I haven't experienced it here. We've been very fortunate so far, but in the past I have actually encountered exactly that where it looked like a great fit initially. And then once we started kicking things around, we realized that said company was in a very, very bad position because they had gone along with the checkbox compliance approach to security. And unfortunately, as a result, they weren't doing true security. They were doing the bare minimum and it needed to be a better threat or rather security posture in that particular case.

B

And so there are situations you've seen where this has actually killed the deal.

A

Yes, yes. There was one in particular I mentioned earlier where I was able to put an end to the deal. And I think one of the really big red flags initially was I asked what their cost for onboarding a new customer was and they had no idea how to answer the question. That was not so much a security issue as it was a giant red flag that they didn't know how to properly quantify how they were bringing people into the, or rather customers into the organization.

B

It strikes me that this is kind of a pay me now or pay me later situation. You know, if you think that M and A is in your future, the time to start preparing yourself is now.

A

Yes. And that is a fair assessment because, you know, we're in a phase right now where there's a lot of acquisitions that have been happening and it's an ebb and flow. You will see this happen for a couple years and then it'll go back to lots of organizations that are having all these really great startups. And then again the acquisition CYC begin again. So as a ciso, when you're looking at the key actions that you want to take, you have to look at stuff like conducting rapid security assessments. You can identify gaps and breaches. It's not only good for an acquisition perspective, but making sure that you have all of your compliance in a good state as well as the security, overall security posture of your organization. You want to be able to map the critical assets and data flows, understanding that you're inheriting issues or if you're as the acquirer or the acquiree, and understanding where your crown jewels are, you know, where's your source source code, where is all of your corporate secrets? What else can you do here? You can establish an interim access control policy to make sure that you're not over permissioning things in order to get the job done. Because I've been in states where we brought in an external organization and the IT team simply wanted to give them basically the equivalent of any any access, if you know the firewall parlance, to just get the job done. And unfortunately that would have been a massive exposure because that particular company was located in a country where there are crypto export control issues. And that's all I'll say about that piece. But you know, planning for identity access management consolidation, because you bring the two companies together, you're not going to keep two of everything, right? You're going to consolidate that. Because otherwise you're spending a absolutely metric ton of money to do the maintenance. Because maintenance on any sort of project or you buy like it insul is, you know, 23 to 25% percent per annum just for maintenance. So if you're having two of everything, that's not really going to be a good look. So you want to look at how you can do consolidation in a way that makes sense and making sure that it aligns to collaboration immediately. What else can you tell you here? Building a cybersecurity integration playbook, having your team, being able to act swiftly once the deal is official so that you've done all your due diligence, then you have your game plan, it's ready to go. And it doesn't have to be overly prescriptive. It just hits on the highlights in order to tackle the problems right out of the gate. And if you're a larger company where you're doing lots of acquisitions, then you can make this as a playbook that you can use over and over again.

B

Well, let's talk about that after the fact situation where the deals are signed, the merger or the acquisition has happened, everybody breathes a big sigh of relief. Is there a tendency for people to then move on to the next thing and think, oh well, we're done with that?

A

That does happen on occasion. And there's also the whoops factor that comes into the equation as well. I've seen in organizations where an acquisition was done, everybody was having fun at the welcome party where the two companies came together. And in that particular instance, we noticed that none of the engineers were there from the core team. And it turned out that at no point were they signed up to be part of the transition. So there were no golden handcuffs. So they were able to take their money and leave because they had no obligation to stay because somebody missed a line in a contract. And so that was a huge exposure there because you just had the brain trust walk right out the door.

B

That's interesting because that's not an element that I think I would have rolled into the due diligence for cyber security, but it absolutely should be.

A

Exactly. If you go back to the, you know, the tried and true CIA triad, you know, the availability becomes a real issue, the integrity becomes a real issue, because all of a sudden all your institutional knowledge has just walked out the door. Then all of a sudden it's like, oh, how are we going to keep these systems running? How are we going to maintain them? Because, oh, I don't think anybody has really good documentation. There's only one company I've ever seen that had stellar documentation, but that was a unicorn.

B

So what are your recommendations then? If a company thinks that M and A is in their future, what sort of foundational things should they be putting in place?

A

Quite honestly, whether or not M and A is part of the situation, they should be looking at this as a way to making sure their security is up to date, you know, because a M and A deal is not just a financial transaction as a cybersecurity event. And you want to make sure that you have strong security diligence that that will help directly influence the success of the deal. But when you're looking at it from the perspective of protecting your organization, going through those same steps of the risk assessment, the data flows, access control strategy, and having that integration playbook, all of those pieces. While it may seem it's purpose driven, if you take a step back and look at it again, it's actually a really good way to make sure that you're in a better security posture for your organization overall.

B

That's Dave Lewis, global advisory CISO @1.Password.

F

I'm Christian McCaffrey, pro running back, and Abercrombie is an official fashion partner of the NFL. I'm not kidding when I say NFL by Abercrombie broke the Internet last year and I think this season's lineup is even cooler. And so does my wife who keeps stealing all my hoodies. Stay fit for the season and Abercrombie's newest arrivals Shop NFL by Abercrombie in the app, online and in store.

G

When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together, use polls to settle dinner plans, send event invites and pin messages so no one forgets mom 60th and never miss a meme or milestone. All protected with end to end encryption. It's time for WhatsApp message privately with everyone. Learn more@WhatsApp.com.

B

And finally, Britain's schools are apparently raising the next generation of hackers, though not quite in the way they'd hoped. The Information Commissioner's office says 57% of cyber incidents in education since 2022 have been carried out by children, some barely out of primary school. 17 year old even landed on the radar of the National Crime Agency after dabbling in mischief better suited to a Bond villain than a year. Two pupil teenagers, meanwhile, have been breaking into databases of thousands, claiming it's all for practice. The ICO warns teachers not to overlook the insider threat posed by their own students who are guessing passwords and downloading hacking tools like their cheat codes. Teachers, it seems, might want to lock down their digital gradebooks before their pupils do it for them. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com be sure to check out this weekend's research Saturday and my conversation with Amanda Russo, principal AI security researcher from Stryker. We're discussing their work, the Silent Exfiltration zero click agentic AI hack that can leak your Google Drive with one email. That's research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.

A

Limu and I always tell you to customize your car insurance and save hundreds with Liberty Mutual. But now we want you to feel it. Cue the emu music Limu Save yourself money today. Increase your wealth. Customize and save. We say that may have been too much feeling. Only pay for what you need@liberty mutual.com Liberty Liberty Liberty Liberty Savings Ferry Unwritten by Liberty Mutual Insurance Company and affiliates Excludes Massachusetts.