CyberWire Daily
Episode: "WhatsAppened to Samsung?"
Date: September 12, 2025
Host: Dave Bittner (N2K Networks)
Featured Guest: Dave Lewis, Global Advisory CISO at 1Password
Episode Overview
This episode offers a comprehensive roundup of cybersecurity news and trends as of September 12, 2025. Major topics include Samsung patching a critical zero-day Android vulnerability disclosed by WhatsApp, Microsoft’s global Exchange Online outage, policy developments from CISA and the California legislature, Apple’s ongoing spyware warnings, FTC investigations into AI chatbots and child safety, a high-profile hacker’s legal appeal in Finland, and a deep-dive interview with Dave Lewis (1Password) on cybersecurity in M&A deal processes. The episode concludes with a warning about schools facing cybersecurity threats from students.
Key News Highlights & Insights
[01:28] Samsung Zero-Day Vulnerability Patched
- Issue: A critical zero-day vulnerability affecting Samsung Android devices (running Android 13+) was actively exploited.
- Source: Reported by Meta & WhatsApp (August 13).
- Technical Details: An out-of-bounds write in a closed-source QuorumSoft image parsing library allowed remote arbitrary code execution.
- Scope: Unclear if only WhatsApp users were targeted or if other messaging apps using the same library were vulnerable.
- Context: Disclosure follows a previous WhatsApp zero-click patch in late August, involving a concurrency with an Apple zero-day in sophisticated spyware campaigns.
- Advice: Experts emphatically urge users to update devices promptly.
[03:10] Microsoft Exchange Online Outage
- Impact: Global login and server connection issues across Outlook, Teams, and Hotmail.
- Root Cause: A faulty software build triggered repeated data dismounts/failovers, high CPU usage, and message queue backlogs.
- Response: Microsoft applied config changes and restored infrastructure. Monitoring continues to ensure stability.
[04:00] CISA’s Commitment to the CVE Program
- Announcement: CISA will continue funding the CVE database until March 2026.
- Improvements Planned: Modernization, expanding international/sector participation, transparent governance, and exploring automation, AI, and vulnerability data enrichment (including "vulnrichment" initiatives).
- Aim: To improve CVE record accuracy, speed, and global accessibility.
[05:10] California's Web Privacy Bill
- Bill: Requires all browsers to include a setting for users to automatically send opt-out signals, ceasing third-party data sharing.
- Status: Awaiting Gov. Newsom’s signature—he vetoed a broader version in 2024.
- Impact: Eases consumer ability to exercise digital privacy rights; advocates praise it.
[05:56] Apple Spyware Attack Warnings
- Update: At least four spyware attack alerts issued since March (per France’s CERT-FR); attacks highly targeted at journalists, activists, politicians.
- Attack profile: Zero-day vulnerabilities, often zero-click, affecting high-profile individuals in over 150 countries.
- Apple's Advice: Affected users should enable Lockdown Mode and seek emergency help.
[06:49] FTC Investigates AI Chatbots' Impact on Children and Teens
- Targeted Companies: Alphabet, Meta, OpenAI, Snap, Character AI, Instagram, Xai.
- Issues Investigated: Risk-testing, user data management, monetization strategies, and effectiveness of youth safeguards.
- Backdrop: 70%+ of teens reportedly use AI companions; more than half monthly.
- Expert Concerns: Some AI chatbots provide harmful advice, gloss over flag statements, and blur lines between reality and fiction.
- Regulatory Deadline: Companies must respond to FTC by September 25th.
[08:22] European Space Agency’s Defense-Cyber Assembly
- Speaker: Josef Aschbacher, ESA Director General.
- Theme: Europe’s need for greater space and defense autonomy; presently behind the US and China in space-based intelligence.
- Key Quote:
"Europe’s space and defense autonomy has become one of our continent's foremost priorities, as we have just also heard very clearly from Commissioner Corbilius." – Josef Aschbacher ([08:56]) - Urgency: EU's reliance on American space data, especially in the Ukraine conflict, is a strategic concern.
[10:37] Finnish Hacker Alexander Kivimaki Released Pending Appeal
- Background: Kivimaki, convicted in the Vastamo psychotherapy data breach/extortion (20,000+ patient victims), released pending appeal.
- Context: The 2018 breach, exposed 2020, is dubbed as a watershed case in Finnish privacy law.
- Evidence: Prosecutors cite server logs, crypto transactions, and personal files; Kivimaki disputes evidence.
- Impact: Victims still grapple with repercussions. Appeal verdict expected later in the year.
[14:18] Deep Dive: Cybersecurity in M&A – Interview with Dave Lewis, 1Password
The Chaos & Importance of Early Cybersecurity Involvement
- Accelerated Timelines:
"They find themselves in the throes of chaos because these events are on a very tight time horizon... And this really does have a significant impact on cybersecurity because not always is cybersecurity there at the beginning." – Dave Lewis ([14:36]) - Deal Jeopardy: Early security involvement can reveal fatal red flags, sometimes terminating deals.
Red Flags in Security Due Diligence
- Small Company Weakness:
"One healthcare company ... got together once a month to talk about security issues over lunch. And that was a very disturbing moment for me..." – Dave Lewis ([15:34]) - Lack of Policy & Visibility: Organizations that appear in government records for repeated breaches, lack formal security staff, or treat basic patching as a "CISO" role are major risks.
Key Security Protocols for M&A
- Phases:
- Due Diligence: Evaluate security posture, third-party risk, potential "blast radius."
- Integration: Align identity/access policies, address SaaS/vendor ecosystem overlaps.
- Post-Deal: Continuous monitoring, formal audits, validation of inherited vulnerabilities.
Prevalence of Security Mismatches
- Surprisingly Common:
"More often than not... companies think they're a great match—culture lines up—but digging into the security reveals serious problems." – Dave Lewis ([18:08]) - Deal Killers: Sometimes, even non-security red flags (like not being able to quantify customer onboarding costs) can end a deal ([18:55]).
Practical Recommendations
- Prepare Now:
"It’s kind of a ‘pay me now or pay me later’ situation. If you think M&A is in your future, the time to start preparing is now." – Dave Bittner ([19:20]) "You can identify gaps and breaches—not only good for an acquisition, but making sure you have your compliance in a good state as well." – Dave Lewis ([19:32]) - Critical Actions:
- Rapid security assessments.
- Mapping critical assets/data flows.
- Interim access control policies to avoid over-permissioning.
- Consolidation of identity/access management.
- Create a cybersecurity integration playbook—especially important for serial acquirers.
The “Whoops” Factor After a Deal
- Oversights in Acquisition:
“There’s also the whoops factor…The core engineering team hadn’t been contracted to stay post-acquisition; the entire institutional brain trust left.” – Dave Lewis ([22:24]) - Document Knowledge Risk: Lack of retention strategies/documentation can jeopardize operational knowledge and system availability.
Foundational Recommendations for All Organizations
- Universal Relevance:
"Whether or not M&A is part of the situation, they should be looking at this as a way to make sure their security is up to date... because an M&A deal is not just a financial transaction, it’s a cybersecurity event." – Dave Lewis ([23:54]) - Summary: Sound security diligence and posture benefit the whole organization, not just in the context of M&A deals.
Other Notable Segments
[25:58] Schools Facing Student Insider Threats
- Statistic: 57% of cyber incidents in UK education since 2022 have been carried out by children, some barely out of primary school.
- Context:
"Teenagers ... have been breaking into databases of thousands, claiming it’s all for practice." - Risks: Students are circumventing password protections and downloading hacking tools, challenging teachers to keep up with evolving threats.
- Advice: Schools should treat students as insiders and secure sensitive systems accordingly.
Memorable Quotes & Timestamps
-
"Europe’s space and defense autonomy has become one of our continent's foremost priorities, as we have just also heard very clearly from Commissioner Corbilius."
— Josef Aschbacher ([08:56]) -
"One healthcare company...got together once a month to talk about security issues over lunch. And that was a very disturbing moment for me..."
— Dave Lewis ([15:34]) -
"More often than not...companies think they're a great match—culture lines up—but digging into the security reveals serious problems."
— Dave Lewis ([18:08]) -
"It’s kind of a ‘pay me now or pay me later’ situation. If you think M&A is in your future, the time to start preparing is now."
— Dave Bittner ([19:20]) -
"There’s also the whoops factor…The core engineering team hadn’t been contracted to stay post-acquisition; the entire institutional brain trust left."
— Dave Lewis ([22:24])
Episode Structure & Flow
- Opens with rapid-fire cybersecurity news updates, covering major recent incidents and regulatory developments.
- Mid-episode features in-depth reporting from ESA’s assembly (via guest Maria Vermazes).
- The second half centers on Dave Lewis’ expert insights into cybersecurity for M&A.
- Concludes with a unique perspective on student “insider threat” risks in schools, wrapping up with a touch of humor but a serious undertone.
For further reading and full story links, visit thecyberwire.com.