CyberWire Daily - WhatsAppened to Samsung?
Episode Date: September 12, 2025Samsung patches a critical Android zero-day vulnerability. Microsoft resolves a global Exchange Online outage. CISA reaffirms its commitment to the CVE program. California passes a bill requiring web ...browsers to let users automatically send opt-out signals. Apple issues spyware attack warnings. The FTC opens an investigation into AI chatbots on how they protect children and teens. A hacker convicted of attempting to extort more than 20,000 psychotherapy patients is free on appeal. Our guest is Dave Lewis, Global Advisory CISO at 1Password, discussing how security leaders can protect M&A deal value and integrity. Schools face insider threats from students. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today’s guest is Dave Lewis, Global Advisory CISO at 1Password, discussing how security leaders can protect deal value and integrity.Selected Reading Samsung patches actively exploited zero-day reported by WhatsApp (Bleeping Computer) Microsoft fixes Exchange Online outage affecting users worldwide (Bleeping Computer) CISA looks to partners to shore up the future of the CVE Program (Help Net Security) California legislature passes bill forcing web browsers to let consumers automatically opt out of data sharing (The Record) Apple warns customers targeted in recent spyware attacks (Bleeping Computer) FTC to AI Companies: Tell Us How You Protect Teens and Kids Who Use AI Companions (CNET) Defence, Space and Cybersecurity. Why the General Assembly in Frascati matters (Decode39) DSEI Takeaways: Space and Cyber and the Invisible Front Line (Via Satellite) Hacker convicted of extorting 20,000 psychotherapy victims walks free during appeal (The Record) Children hacking their own schools for 'fun', watchdog warns (BBC) - kicker Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
The DMV has established itself as a top-tier player in the global cyber industry.
DMV rising is the premier event for cyber leaders and innovators
to engage in meaningful discussions and celebrate the innovation happening in and around the Washington
D.C. area. Join us on Thursday, September 18th, to connect with the leading minds shaping
our field and experience firsthand why the Washington, D.C. region is the beating heart of
cyber innovation. Visit DMVRising.com to secure your spot.
At TALIS, they know cybersecurity can be tough, and you can't protect every.
thing. But with TALIS, you can secure what matters most. With TALIS's industry leading platforms,
you can protect critical applications, data and identities, anywhere and at scale with the highest
ROI. That's why the most trusted brands and largest banks, retailers, and health care
companies in the world rely on TALIS to protect what matters most. Applications, data, and
identity. That's TALIS. T-H-A-L-E-S. Learn more.
at talusgroup.com slash cyber.
Samsung patches a critical Android Zero Day.
Microsoft resolves a global exchange online outage.
Sisa reaffirms its commitment to the CVEE program.
California passes a bill requiring web browsers to let users automatically send opt-out signals.
Apple issues spyware attack warnings.
The FTC opens an investigation into AI chatbots on how they protect children and teens.
A hacker convicted of attempting to extort more than 20,000 psychotherapy patients is free on appeal.
Our guest is Dave Lewis, Global Advisory CISO at One Password,
discussing how security leaders can protect M&A deal value and integrity.
and schools face insider threats from students.
It's Friday, September 12th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us, and happy Friday.
It's great to have you with us.
Samsung has patched a critical zero-day vulnerability
that was actively exploited against its Android devices.
The flaw, affecting devices running Android 13 or later,
was reported by Meta and WhatsApp on August 13th.
It stems from an out-of-bounds right in a closed-sort.
image parsing library from Kurimsoft.
Attackers could exploit it remotely to execute arbitrary code.
Samsung confirmed the bug had been used in the wild,
although it's unclear if attacks targeted only WhatsApp users
or other messaging apps using the same library.
The disclosure follows another WhatsApp patch in late August,
where the company fixed a zero-click bug
exploited alongside an Apple Zero Day
in sophisticated spyware campaign.
Experts urge users to update devices promptly.
Microsoft has resolved a global exchange online outage
that blocked access to emails and calendars for many users.
The disruption, which began early Thursday,
caused login and server connection issues across Outlook, teams, and hotmail.
Microsoft traced the problem to a faulty software build
that triggered repeated data dismounts and failovers.
leading to high CPU usage and message queue backlogs.
After applying configuration changes and restoring infrastructure,
the company announced service recovery early Friday,
though it continues monitoring to ensure stability.
SISA has reaffirmed its long-term commitment to the CVEE program,
a critical global system for cataloging security flaws.
After recent uncertainty, Sisa confirmed it will fund the program,
program through March 26 and maintain CVE data as a free, open public good.
SISA outlined plans to modernize the program, expand international and multi-sector participation,
and ensure transparent vendor-neutral governance. It also aims to diversify funding and strengthen
vulnerability data enrichment through initiatives like vulnrichment and authorized data publisher
capabilities. By incorporating community feedback and exploring automation, AI, and machine learning,
SISA hopes to improve the accuracy, timeliness, and scalability of CVE records, ensuring
defenders worldwide share a common foundation against cyber threats.
California lawmakers have passed a bill requiring web browsers to include a setting that lets
users automatically send opt-out signals, stopping third-party parties. Stopping third-party
data sharing. While the California Consumer Privacy Act already grants this right, most browsers
haven't provided the needed functionality. The bill now awaits Governor Gavin Newsom's signature.
He vetoed a broader version of it last year. If enacted, browsers must let users enable a universal
opt-out request. Privacy advocates say the measure makes exercising digital rights far easier
for consumers.
Apple has issued multiple spyware attack warnings this year,
according to France's CERTFR,
which confirmed at least four alerts sent since March.
The highly targeted attacks,
often using zero-day exploits and requiring no-user interaction,
focused on journalists, activists, politicians,
and other high-profile individuals.
Notifications are delivered via email,
SMS, and Apple account logins.
Apple urges affected users to enable lockdown mode and seek emergency help.
Since 2021, Apple has sent such warnings worldwide covering users in over 150 countries.
The Federal Trade Commission has opened an investigation into AI chatbots from seven companies,
including Alphabet, Meta, OpenAI, Snap, Character AI, Instagram, and XAI,
focusing on how they protect children and teens.
A recent survey found that over 70% of teens use AI companions
with more than half engaging monthly.
Experts warn these tools can provide harmful advice,
ignore concerning statements, and blur boundaries between fiction and reality.
The FTC wants details on how companies test for risks,
handle user data, monetize engagement, and enforce safeguards.
While some firms like Character AI and Snap have rolled out parental controls and teen-specific features, critics say stronger protections are needed.
Companies must respond to FTC orders by September 25th.
Jumping over to Europe, we hear from our T-minus Space Daily host, Maria Vermazas, as the European Space Agency's director, General Josef Oshbacher, delivered the opening remarks at the General Assembly for Defense,
Space and Cybersecurity.
The European Space Agency's Director General, Yosef Oshbacher, delivered the opening remarks
at the General Assembly for Defense, Space, and Cybersecurity.
The European Parliament and the European Commission, in collaboration with ESA,
organized the Assembly to promote dialogue between European and national decision-makers
and industry representatives in the context of the unprecedented challenges that the European Union
is facing.
in an increasingly complex geopolitical situation.
Yosef Oshbacher pushed for a stronger alliance on space and defense.
But today, let us be audacious and not shy away from what has been a discreet but clear
driving force for space efforts of its technology breakthroughs of pushing the boundaries
of collective will, our security and defense.
And why do I say discreet?
Because Europe has been shy in coming to terms with the legitimate role of cooperative space
which it plays in our security and in our geostrategic independence.
And it is now a fact.
Europe's space and defense autonomy has become one of our continent's foremost priorities,
we have just also heard very clearly from Commissioner Kobilius.
Ashbacher also warned that Europe is not just trailing behind its counterparts in the United States
and China in terms of space-based intelligence.
He said that they're not playing the same game at all, at least not yet.
He also pushed for European sovereignty over data collection, referring to Europe's
reliance on American space data, particularly with the current conflict in Ukraine.
The consensus from the assembly is that Europe will be shifting towards control of its own defense, space, and cybersecurity assets, and it will certainly be interesting to see how that plays out in the coming years.
That's Maria Vermazas, host of the T-minus Space Daily podcast. Be sure to check out T-minus wherever you get your favorite podcasts.
Finnish hacker Alex Santerre Kivimaki, convicted of attempting to extorting to extorting,
more than 20,000 psychotherapy patients after the Vastamo data breach has been released from custody
pending appeal. Kivimaki, arrested in France in 2003 and extradited to Finland, was sentenced to
six years and three months, but remains legally innocent while appealing. The 2018 hack revealed in
2020 led to mass extortion attempts against patients, including children, making it one of Europe's
largest criminal privacy cases.
Victims continue to suffer from leaked records, described as a watershed event for Finnish society.
Prosecutors link Kivimaki to the crime via server logs, cryptocurrency transactions, and personal files,
though he disputes the evidence.
The appeals trial runs through November, with a ruling expected later this year.
Coming up after the break, my conversation with Dave Lewis from One Password.
We're discussing how security leaders can protect M&A deal value and integrity.
And schools face insider threats from students.
Stay with us.
Compliance regulations, third-party risk, and customer security demands are all growing and changing fast.
Is your manual GRC program actually slowing you down?
If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right.
GRC can be so much easier.
And it can strengthen your security posture while actually driving revenue for your business.
business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key areas, compliance, internal and third-party risk, and even customer trust, so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found,
that compliance teams using Vanta are 129% more productive.
It's a pretty impressive number.
So what does it mean for you?
It means you get back more time and energy
to focus on what actually matters,
like strengthening your security posture
and scaling your business.
Vanta, GRC, just imagine how much easier trust can be.
Visit Vanta.com slash cyber
to sign up today for a free demo.
That's V-A-N-T-A.com slash cyber.
With Amex Platinum, access to exclusive Amex pre-sale tickets can score you a spot trackside.
So being a fan for life turns into the trip of a lifetime.
That's the powerful backing of Amex.
Pre-sale tickets for future events subject to availability and varied by race.
Turns and conditions apply.
Learn more at MX.ca slash Y-Anex.
Dave Lewis is Global Advisory SISO at One Password.
We recently got together to discuss how security leaders can protect M&A deal value and integrity.
Quite literally, they find themselves in the throes of chaos because usually these events are on a very tight time horizon and they have to make sure that they are getting it through as fast as they can so that they don't run the risk of missing.
out on the deal or having the deal fall apart
for whatever reason. So there tends
to be an accelerated timeline. And this
really does have a significant impact
on cybersecurity because
not always is cybersecurity there
at the beginning. I've been
through a lot of deals over the years where
I was brought in after the fact.
Thankfully, there were other companies
where I was brought in at the beginning.
And for whatever reason, I was
able to put an end to that deal simply because
some of the issues that were highlighted
at the outset really, really,
were red flags and the deal itself was in jeopardy if we were to proceed.
What kind of things can be revealed about an organization when you start digging into their
cybersecurity posture? Well, it depends on the size of the organization. For a smaller shop,
if they don't have anybody that's doing security, that's a bit of a troublesome moment.
There was one healthcare company that I met with a couple years back, and they said that
they didn't have anybody as part of their security team.
What they did was they got together once a month to talk about security issues over lunch.
And that was a very disturbing moment for me because they had electronic health records.
They had to be concerned about in the posture of their overall organization.
And at that time, they were looking to fill a position for, and I quote, a CSO.
And I was told that that particular position would report to the CTO and would be responsible solely for just doing patched.
And I said to them, I said, that is not a C-SO role.
And they said, well, in our organization, it is.
And I said, oh, good luck to you.
And that says kind of things that, you know, they will pop up.
And if there's no policy set, if they have shown up in various government publications for multiple security breaches, you know, because there's mandatory reporting and things to that effect.
So you have to do your background.
You have to do your due diligence in order to make sure that things are.
on the up and up before you even consider moving to an integration phase.
Well, can you take us through some of the security protocols that are necessary for an M&A activity?
Well, first and foremost, you start off with the due diligence phase where you're looking
at the security posture assessment of that target organization, looking at third-party risk
management checks, you know, what is the blast radius in the event that something was to go wrong?
For the next stage, then, the integration phase, you're looking at aligning your identity
access management policies with access controls,
making sure that you're tackling extended access management,
and then consolidating vendor and SaaS ecosystems to reduce overlap
because one of the problems that I find in a lot of organizations
is they don't have a really good way to manage their SaaS contracts,
as it were, in a coherent fashion.
And then the third stage would be post-deal closure
of continuous monitoring of the inherited vulnerabilities,
because like it or not, you will inherit some,
something from the organization you're bringing in and looking at formal audits to ensure that security
baselines are in fact being met.
How often does it happen that a pair of companies will think that they have a great match here,
the cultures line up, and then when you start digging into the security, you find that
there are some serious problems?
Honestly, that is more often than not.
And it's a troubling thing because I've experienced it,
companies in the past. I haven't experienced it here. We've been very fortunate so far.
But in the past, I have actually encountered exactly that, where it looked like a great
fit initially. And then once we started kicking things around, we realized that said company
was in a very, very bad position because they had gone along with the checkbox compliance
approach to security. And unfortunately, as a result, they weren't doing true security. They were
doing the bare minimum. And it needed to be a better threat or rather security posture in that
particular case. And so there are situations you've seen where this has actually killed the deal?
Yes. Yes. There was one in particular I mentioned earlier where I was able to put an end to the deal.
And I think one of the really big red flags initially was I asked what their cost for onboarding a new
customer was. And they had no idea how to answer the question. That was not so much a security issue as it
was a giant red flag that they didn't know how to properly quantify how they were bringing
people into the, or rather customers into the organization.
It strikes me that this is kind of a pay me now or pay me later situation.
You know, if you think that M&A is in your future, the time to start preparing yourself is now.
Yes. And that is a fair assessment because, you know, we're in a phase right now where there's a lot
of acquisitions that have been happening, and it's an ebb and flow. You will see this happen
for a couple of years, and then it'll go back to lots of organizations that are having all these
really great startups. And then, again, the acquisition cycle will begin again. So as a CISO,
when you're looking at the key actions that you want to take, you have to look at stuff like
conducting rapid security assessments, you know, you can identify gaps and breaches. It's not only good
for an acquisition perspective, but making sure that you have all of your compliance in a good
state as well as the overall security posture of your organization you want to be able to
map the critical assets and data flows understanding that you're inheriting issues or if you're as
the acquirer or the quiree and understanding where your crown jewels are you know where's your source
code where is all of your corporate secrets um what else can you do here you can establish an interim
access control policy to make sure that you're not overprinted permissioning things in order to get
the job done because i've been in states where we brought in
an external organization and the IT team simply wanted to give them basically the equivalent of any, any access, if you know the firewall parlance, to just get the job done.
And unfortunately, that would have been a massive exposure because that particular company was located in a country where there are crypto export control issues.
And that's all I'll say about that piece.
But, you know, planning for identity access management consolidation because you bring the two companies together, you're not going to keep two of everything.
You're going to consolidate that because otherwise you're spending a absolutely metric ton of money to do the maintenance because maintenance on any sort of project you buy like IT in slow is, you know, 23 to 25 percent per annum just for maintenance.
So if you're having two of everything, that's not really going to be a good look.
So you want to look at how you can do consolidation in a way that makes sense
and making sure that aligns to, you know, collaboration immediately.
What else can you tell you?
You're building a cybersecurity integration playbook.
You know, having your team being able to act swiftly once the deal is official
so that you've done all your due diligence, then you have your game plan that's ready to go.
And it doesn't have to be overly prescriptive.
It just hits on the highlights in order to tackle the problems right out of the gate.
And if you're a larger company where you're doing lots of acquisitions, then you can make this as a playbook that you can use over and over again.
Well, let's talk about that after the fact situation where the deals are signed, the merger or the acquisition has happened.
Everybody breathes a big sigh of relief.
Is there a tendency for people to then move on to the next thing and think, oh, well, we're done with that?
That does happen on occasion.
And there's also the whoops factor that comes into the equation as well.
I've seen in organizations where an acquisition was done,
everybody was having fun at the welcome party where the two companies came together.
And in that particular instance,
we noticed that none of the engineers were there from the core team.
And it turned out that at no point were they signed up to be part of the transition.
So there were no golden handcuffs.
So they were able to take their money and leave because they had no obligation
to stay because somebody missed a line in a contract.
And so that was a huge exposure there because you had just had the brain trust walk right out the door.
And that's interesting because that's not an element that I think I would have rolled into the due diligence for cybersecurity.
But it absolutely should be.
Exactly.
If you go back to the tried and true CIA, the availability becomes a real issue, the integrity becomes a real issue.
because all of a sudden all your institutional knowledge
has just walked out the door,
then all of a sudden, it's like,
oh, how are we going to keep these systems running?
How are you going to maintain them?
Because, oh, I don't think anybody has really good documentation.
There's only one company I've ever seen
that had stellar documentation.
But that was a unicorn.
So what are your recommendations then?
If a company thinks that M&A is in their future,
what sort of foundational things should they be putting in place?
Quite honestly, whether or not M&A is part of the situation, they should be looking at this as a way to making sure their security is up to date.
Because M&A deal is not just a financial transaction as a cybersecurity event, and you want to make sure that you have strong security diligence that will help directly influence the success of the deal.
But when you're looking at it from the perspective of protecting your organization, going through those same steps of the risk assessment, the data flows,
access control strategy
and having that integration playbook,
all of those pieces,
while it may seem
it's purpose driven,
if you take a step back
and look at it again,
it's actually a really good way
to make sure that
you're in a better security posture
for your organization overall.
That's Dave Lewis,
Global Advisory SISO at OnePassword.
You can get protein at home, or a protein latte at Tim's, no powders, no blenders, no shakers, starting at 17 grams per medium latte, Tim's new protein lattes, protein without all the work, at participating restaurants in Canada.
And finally, Britain's schools are apparently raising the next generation of hackers, though not quite in the way they'd hope.
The Information Commissioner's Office says 57% of cyber incidents in education since 2022
have been carried out by children, some barely out of primary school.
One seven-year-old even landed on the radar of the National Crime Agency,
after dabbling in mischief better suited to a bond villain than a year-two pupil.
Teenagers, meanwhile, have been breaking into databases of thousands,
claiming it's all for practice.
The ICO warns teachers not to overlook the insider threat posed by their own students
who are guessing passwords and downloading hacking tools like their cheat codes.
Teachers, it seems, might want to lock down their digital grade books before their pupils do it for them.
And that's The CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday
and my conversation with Amanda Rousseau,
principal AI security researcher from Stryker.
We're discussing their work,
The Silent Exfiltration,
zero-click, agentic AI hack that can leak your Google Drive with one email.
That's Research Saturday.
day. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we
deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to Cyberwire at n2k.com.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by
Trey Hester with original music by
Elliot Peltzman. Our executive
producer is Jennifer Ibin. Peter Kilby
is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see
you back here next week.
Thank you.