Exactly 9,429 people are into Metallica—at least as a password, according to a list compiled for IT Brew by the password manager NordPass.

NordPass’s data-pull revealed some of 2023’s most commonly used passwords in the categories of online game, movies, cars, sports, and music. The pop-culture PWs, which included over 30,000 unique instances of “minecraft,” over 8,000 instances of “mercedes,” and, somehow, over 11,000 cases of “mamamia78,” demonstrate that malicious hackers have some easy first guesses if they know a target’s particular interest.

“People think that, ‘I don’t have anything precious online, in my digital world…But that’s not true. You have your identity, which is very, very important’,” said Tomas Smalakys, CTO of Nord Security.

Phishing and stolen or compromised credentials led the list of attack vectors in IBM’s 2023 “Cost of a Data Breach” report.

The average price of a compromise initiated by stolen credentials, according to IBM’s analysis of breaches from March 2022 to March 2023 was $4.62 million.

Damian Archer, VP of Americas at the cybersecurity provider Trustwave, says common passwords help cyberattackers as they target executives and gather their digital information scattered online. A CEO who’s a Chicago Bulls fan, for example, might use “jordan23,” Archer told IT Brew.

Read more here.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

Security and IT leaders face an impossible mandate: Implement a Zero Trust security architecture without hurting employee productivity or business outcomes. That’s a lot to ask—but it’s possible when you partner with Kolide.

Kolide equips its customers to build device trust solutions that work with end users. In these candid testimonials, leaders from Databricks, Watershed, and Clio explain how they used Kolide to focus on educating employees instead of utilizing punitive, top-down measures. Talk about a win-win.

The best part? Kolide is a device trust solution for organizations using Okta’s user authentication. All three of these orgs use Okta and Kolide in tandem within their Zero Trust architecture.

Check out these testimonials.

Cyber-kidnapping isn’t new. But advancements in AI—like mainstream access to voice cloning and deepfakes—could fuel even more copycat cases.

In typical incidents of cyber-kidnapping, everything happens virtually—attackers use manipulation tactics to make it seem as if someone is being held hostage, coercing family or friends to pay the ransom and gain their release. The schemes have been around for more than 20 years. A Los Angeles FBI investigation from 2013–2015 found the majority of cases happened in Mexican prisons. The rise of AI has added to these and similar schemes as scammers have begun using voice cloning technology to sound exactly like supposed victims.

“The more real a bad actor can make a scenario true to life, the better,” Chris Stangl, a former FBI special agent in the cyber division, told IT Brew. “A person’s likeness captured by a bad actor and then manipulated into synthetic content is a game changer in that a call to a victim is more authentic.”

Read more here.—AF

Do you work in IT or have information about your IT department you want to share? Email amanda.florian@morningbrew.com.

At CES 2024, IT Brew talked with Boston Consulting Group Managing Director Nadine Moore about security, IT team strategy, and more. Stay tuned for our full conversation later, but here’s a preview.

IT Brew: If I’m an IT team lead, and I’m being asked to do more with too little, how do I convince my employer to invest in security?

Nadine Moore: I think you need to take a fresh look at, “What am I doing? Am I getting the risk/return trade-off for those investments? And now that I have these new things I have to think about, if I have $1, where am I going to put it?”

I’m hopeful that organizations are doing that. As they think about investing in the new technologies and these new AI capabilities, we’re seeing clients embedding the cyber cost right up front with the entire effort—which I think is great.

So then it’s not just like a cyber budget line item, you’re actually an integrated team with embedded cost, risk, cyber, data privacy, everything is all together with the work that you’re doing on the models.

—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

Today’s top IT reads.

Stat: 80%. That’s the percentage of company safety engineers Elon Musk fired after taking over the company formerly known as Twitter. (The Register)

Quote: “There’s a rush to proclaim the authority and the usefulness of these kinds of chatbot interfaces and the underlying language models that power them…But the evidence that AI chatbots can deliver those effects does not yet exist.”—Ben Williamson, a chancellor’s fellow at the University of Edinburgh’s Centre for Research in Digital Education, on AI in schools (the New York Times)

Read: Google Cloud is winding down switching fees, putting pressure on its biggest rivals—Amazon Web Services and Microsoft Azure—to follow suit or lose face with customers. (Bloomberg)

Gone phishing: MGM’s weak user authentication left it vulnerable to phishing. Here’s the catch: It could have been stopped by verifying user identity + device posture. Kolide dug into what went wrong. Check it out.*

^{*A message from our sponsor.}