The eternal game of musical chairs continues: Credential management firm NordPass has released its annual list of the top 200 most common passwords, and while the order may have shuffled around a little, they’re as weak as ever.

In last year’s NordPass roundup, the word “password” came out on top. In 2023, “password” fell to seventh place, though it’s not like it was replaced by anything better.

The top 10 passwords, according to NordPass, consisted mostly of variations on counting upward from one:

1. 123456
2. admin
3. 12345678
4. 123456789
5. 1234
6. 12345
7. password
8. 123
9. Aa123456
10. 1234567890

It remains as unsurprising as ever that the most common passwords are so weak, given that the whole point of a password is to make it hard for someone else to guess.

Read more here.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.

Waiting for the perfect moment to dive into generative AI? Don’t wait too long—there are practical, tactical ways your org can benefit from this tech today.

Looking for a place to start? Take a spin through the new e-book from Amazon Web Services, Maximize the Business Value of Generative AI.

Designed for business leaders looking to get a better understanding of generative AI, this e-book offers intel on:

• generative AI’s capabilities, use cases, and business value
• how to leverage generative AI to improve business outcomes, innovate faster, and reinvent customer experiences
• insights from SMEs with 20+ years of experience in AI and machine learning technologies

For bonus points, get Amazon Bedrock to learn how to easily build and scale applications with foundation models.

Drive business outcomes in your org.

Cloudy with a chance of oversight: That’s the latest forecast from the Federal Trade Commission.

FTC chair Lina Khan said during a November open meeting with lawmakers and members of the public that her agency expects to increase scrutiny of cloud computing, because of its ubiquity and its position in a market dominated mainly by three providers: Amazon, Microsoft, and Google.

“Because cloud computing increasingly serves as key infrastructure, it has been raising a whole set of competition and consumer protection questions, including whether firms may be using their dominance in ways that undermine fair competition,” Khan said. “And whether dominance in this market may heighten fragility, creating a single point of failure or risk to data security.”

Business is booming. As IT Brew previously reported, cloud computing roles dominate the certification market. And while some C-suiters are reconsidering their investment in the cloud, the sector remains strong. Hence, Khan said during her remarks, the agency’s focus.

“This is a market that’s not always super visible to everyday people, but behind the scenes it increasingly plays a critical role,” Khan said. “Companies across the economy rely on cloud providers to power their services, as does the US government.”

Read more here.—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

In a November private-industry advisory, the FBI noted a “trend” of callback phishing, a social engineering attack that involves interaction between the threat actor and the target. The phish, which ultimately convinces a victim to call back and download malware or offer up remote access, is especially difficult to defend against, because the tactic uses legitimate IT tools.

The FBI summarized the phishy extortion of the Silent Ransom Group, aka Luna Moth.

• Once the victims responded to SRG’s phony charges and called the phone number it provided, the group sent a follow-up email directing them to download a “legitimate system-management tool,” which was then used to install other credible management tools that could be “repurposed for malicious activity.”
• “The actors then compromised local files and the network shared drives, exfiltrated victim data, and extorted the companies,” the advisory read.

While the agency did not give specifics about the system-management tools SRG deployed, cybersecurity company Palo Alto Networks used a threat-research post in November 2022 to show how the group tricked users into downloading remote-support tool Zoho Assist.

Keep reading here.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

Stat: 67%. That’s the number of respondents from a tech-learning group survey who reported that their companies are using generative AI. (O’Reilly)

Quote: “So, one way to look at this is like Gmail on Black Friday or Cyber Monday. It’s kind of like JFK airport over Thanksgiving.”—Robert Holmes, group VP and general manager at Proofpoint, on the cyber risks of Cyber Monday (NPR)

Read: Companies like StoryFile, Seance AI, and Replika are trying to heal hearts with “grief tech.” (Vox)

Time for class: Ready to dig into risk governance frameworks? Join Georgetown University’s Security Architecture Design virtual sample class on Nov. 30—and get the scoop on their Master’s in Cybersecurity Risk Management program. Sign up.*

^{*A message from our sponsor.}