From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

IT Brew

Tom McKay

itbrew.com

Graphic of gravestones in descending height order

Scam obituary sites draw enterprise traffic, research finds

Obituary sites that currently scam users into installing push notifications and pop-ups could be a vehicle for malware.

Amanda Florian

Threat actors in China becoming ‘more brazen,’ NSA says 

Dave Luber of the NSA told IT Brew new incidents tied to Volt Typhoon are unfolding every day based on “industry and incident response reporting.”

Billy Hurley

HSB adds cyber protections to automotive coverage

The insurance provider sees the car a lot like a computer—both can be hacked.

A shield with a checkmark inside icon denoting cybersecurity

Cybersecurity

Caroline Nihill

Security professionals know the only way to truly secure a computer is to encase it in concrete and dump it in the ocean. But short of that, these professionals do what they can—and that includes Philip Martin, CSO at massive crypto exchange Coinbase, who sees his job as a series of carefully considered risks.

Security practitioners, Martin told IT Brew, are here to help businesses “take calculated, knowing, understood risk in the right areas with the right risk treatment implemented around it.”

When an organization like Coinbase decides to launch an initiative that contains security risks, Martin said, “your job as a security practitioner is to figure out how we can do it safely.”

Martin added that his team seeks to “go fast and break nothing.” To ensure that, they look at solutions like automated testing to ensure that if something breaks, they know about it before a new capability or feature is released.

“It’s about going fast, understanding where the risks are in that innovation, and building mitigations for those risks if they’re to materialize,” Martin said.

Martin said supply-chain attacks are top of mind for him, especially given the 

Martin said that cybersecurity professionals have to pay a lot of attention and move carefully—especially as projects and libraries often have few “maintainers” and “don’t necessarily have the best operational hygiene on who can be a contributor, who can commit to things.”

While cryptocurrency platforms can be a prime target for attackers, defensive techniques are largely the same as those utilized by other industries.

“The difference for a company like Coinbase is we see some very sophisticated attacks across the board,” Martin said. “We are, I think, one of the larger targets out there today for bad actors. While it doesn’t change the mechanics or the attack or the defense, what changes is the likelihood of it occurring on the one side; on the other side, the seriousness with which Coinbase takes security.”

Scammers and fraudsters and threat actors, oh my! 

As with any other financial service, Coinbase users face the risk of scammers and fraudsters. To combat this, Martin’s team focuses on educating users to understand the characteristics of a scam.

Coinbase also features a 48-hour pause for transfers detected as potentially fraudulent. The customer is told their transaction is on hold, but can still go through with it by taking a scam quiz, which determines if the user is under duress or on the phone with a scammer.

“We’ve definitely seen cases where that control and others have prevented scams or malicious transfers,” Martin said. “Almost everything we’ve implemented in this regard has had a very high ROI in terms of improving customer safety and outcomes.”

If a scam does occur, and a customer transfers money off of Coinbase, there’s a record of that transaction on the blockchain. Martin shared that Coinbase will not only work with law enforcement, but other crypto exchanges if there’s a transfer as a result of a crime.

“That means we can, specifically on the threat intelligence side of the house, we can do a lot with tracking that money as it moves through a criminal ecosystem,” Martin said. “Sometimes it means that we are able to recover some of that.”

Martin added that the traceability of crypto is a feature, and one that he feels doesn’t exist in any other monetary instruments—especially as the transactions happen digitally and can be recalled.

A portrait of Coinbase Chief Security Officer Philip Martin

Coinbase CSO Philip Martin knows that security isn’t forever

Coinbase CSO Philip Martin shares how he secures one of the largest crypto exchanges in the US. 

Next time you see someone at your company with a recycle bin, maybe check their ID.

Former pen tester and red teamer Jake Williams said he once spraypainted a data-destruction company’s name on a wheeled trash can from Home Depot. From there, he went to an organization’s front door and said something to the effect of, “We’re here to shred your sensitive documents.”

Penetration testers, abbreviated to pen testers, are often hired by companies to simulate cyberattacks—and to see how well the company holds up to adversarial tactics. Red teamers like Williams serve a similar role, often looking comprehensively at a client organization’s defenses rather than focusing on specific vulnerabilities. Whatever their role, sometimes a hack requires a humble trash can, clipboard, or other, everyday object.

 low-tech here, right? But look, people are wired to want to help people. We’re wired to believe that things are as they seem,” Williams, faculty at IANS Research and VP of R&D at cybersecurity company Hunter Strategy, said, recalling his time red teaming and pen testing at Rendition Infosec, where he was CTO from 2013 to 2021.

Physical-access testers past and present spoke with IT Brew about the low tech they’ve used to gain high levels of access. Are our adversaries doing the same?

Zach Varnell, currently security consulting lead at web app pen-testing firm Asteros, seems to know where to find a Home Depot when necessary, too. On a former red-team engagement more than a decade ago, he said, a team member filled a pest-control canister with water and began spraying the grass outside, taking his time so everyone inside noticed. Moments later, the colleague went to a side door, asking to be let in. The company’s employees were hesitant, Varnell recalls—at first.

“Then he was like, ‘Well, I’m here to spray for black widows,’” he said.

While Varnell’s co-conspirator finished the fake spraying job, he left and held the door open for Varnell, who played the part of an intern. Instead of performing typical trainee tasks, though, he placed keystroke loggers (tools used to capture what someone’s typing, including passwords) into computers.

Physical attacks—“deliberate threats that involve 

”—are not extremely popular hacker tactics. After all, who doesn’t love working remotely? Cyberattacks continue to be a leading attack vector; according to a July report from the Identity Theft Resource Center (ITRC), 1,348 cyberattacks led to data breaches during H1 2025.

The ITRC calculated 34 “physical attacks”—a small amount by comparison, but a slight increase from the 33 physical attacks tallied in 

of 2024. (The report did not specify how many real-world attacks used fake pesticides.)

 Michael Welch, managing director and CISO at professional-services firm MorganFranklin Cyber, has seen organizations such as manufacturers hire red teamers to test the security of their own infrastructure and on-prem technology.

Some clients need the tests for compliance purposes, according to Welch, to meet standards like CMMC for defense contractors and HIPAA for healthcare pros, and to demonstrate proof of effective physical controls.

Physical attacks need somebody to be there, which takes resources, and may dissuade the average adversary on the other side of the world who can hack from home. Still, the red-team tests are important, Welch emphasized.

“You can’t just say, ‘Well, it’s small, so we’re going to ignore it.’ That just wouldn’t be good business sense. It’s not good risk management,” he said.

While Williams said nation-state adversaries will likely avoid physical attacks because of the high risk of getting caught, he has worked with clients who’ve discovered implanted listening devices in their environments.

As a hired pen tester, Williams has gained entry and placed small computers into open network jacks; the placement creates an endpoint on the network, which he can potentially connect to and perform malicious activity if network defenses are not in place. He has also grabbed small-form-factor computers—perhaps lacking full-disk encryption—left out in the open. Behind all the costumes, props, and impersonations, a red-team exercise is really about seeing how a company holds up on a real trash day.

“As CISO, as a network defender as well, you’re able to look and say, ‘Do my cybersecurity controls just collapse once somebody physically is inside one of our facilities?’” Williams said.

Image of a white security camera against a pink backdrop.

Recycle bins, pest-control sprayers, and other non-tech ways to breach security

 Red teamers are hired to craftily break in. Are our adversaries doing the same?

Brianna Monsanto

New data from DNSFilter shows that cybercriminals are stooping to a new low: targeting job seekers.

The cybersecurity company found 8,724 malicious domains containing the word “jobs,” with the overwhelming majority (86%) newly registered or observed. Meanwhile, 1,161 malicious domains contained the word “careers.”

Gregg Jones, an intelligence analyst lead at DNSFilter, told IT Brew that while it isn’t new for cybercriminals to target job seekers, the problem has been amplified by “current world conditions” that make those on the hunt for employment especially vulnerable to scams. While the US unemployment rate stood at 4.3% in August—the most recent published figure from the Bureau of Labor Statistics (BLS) due to the 

—job hiring has continued to falter. According to the BLS, US employers added 22,000 jobs in August, a sharp decline from 142,000 in the same period last year.

“​​The economy is not so great…people are struggling to find jobs, some people are struggling to keep jobs, and it’s that constant ebb and flow of ‘where’s the good sheep for the wolf to go attack?’” Jones said.

 Job seekers shouldn’t take the interest from cybercriminals personally, as malicious actors have placed targets on the backs of hiring managers, as well. In May, Arctic Wolf Labs released 

 about a spearphishing campaign hurled by threat group Venom Spider at hiring managers, with threat actors using résumés laced with malware when applying for jobs. Recruiters also have been grappling with the growing 

 scheme, which has grown in sophistication thanks to deepfake technology.

 DNSFilter suggests job seekers double-check domain names and stay away from links with “excessive hyphens or strange extensions.” Jones added that if a job offer looks too good to be true, it probably is, and said individuals can always reach out to hiring managers to verify recruitment notifications: “No one should ever chastise you for being extra careful.”

Cybercriminals have their eyes on job seekers

Job seekers can always double-check the validity of extended job offers with hiring managers, says DNSFilter Intelligence Analyst Lead Gregg Jones.

After a handful of cybersecurity incidents linked to Salesforce, including the Salesloft Drift data extortion incident and ongoing social engineering threats, industry leaders are encouraging others to prioritize system agility and careful vendor onboarding.

 found through an independent analysis that threat cluster UNC6040, a vishing-focused and financially motivated campaign, sought to compromise organizations’ Salesforce instances for data theft and extortion. Salesforce posted online warnings about the threats at the beginning of October, with the ongoing response last updated on Oct. 17.

The attempts to breach networks via vishing, according to GTIG, “have proven particularly effective in tricking employees, often with English-speaking branches of multinational corporations, into actions that grant the attackers access or lead to the sharing of sensitive credentials, ultimately facilitating the theft of organization’s Salesforce data.”

“In all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce,” GTIG wrote.

Nicole Aranda, a Salesforce senior manager for corporate communications, told IT Brew via email that, following the most recent 

 from threat actors, there is no indication that the company’s platform has been compromised, “nor is this activity related to any known vulnerability in our technology.”

“Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support,” Aranda wrote.

Justin Tolman, the digital forensic subject matter expert and evangelist for e-discovery and software company Exterro, told IT Brew that, in light of the recent Salesforce breaches, companies need to prioritize securing third-party plugins that use a company’s platform, which can be done during the vendor onboarding process.

“What happens as companies grow…and in the Internet of things era that we are in, is different things are added to their software that they don’t have necessarily direct control over,” Tolman said. “If you look at a lot of the breaches that Salesforce ‘had,’ these were through breached third-party plugins that were using the Salesforce platform to then steal information.”

Tolman added that, for professionals combatting exposure through third-party resources like plug-ins, there needs to be increased focus on vendor onboarding rather than just doing a “tech check.” Some questions Tolman suggested included: 

Does your API plug in properly, and do what it says it does?

“I do feel like as Salesforce is the owner of the ecosystem, the manager of the ecosystem, they are ultimately responsible for ensuring that the plug-ins and the third-party apps and the different things—at least if it’s officially supported by Salesforce,” Tolman said.

Shree Reddy, the CIO of PenFed Credit Union (a customer of Salesforce that uses its agentic AI solution) told IT Brew that, in light of the recent slew of cybersecurity incidents concerning Salesforce and its customers, no organization is exempt from issues concerning cybersecurity. He pointed to the Salesforce ecosystem as having multiple technologies, and therefore multiple points of threat.

“That doesn’t take away the risk associated with it. However, in Salesforce’s open architecture, [it] also enables you to embrace concepts such as zero trust…and that gives you the option to go above and beyond what the platform provides,” Reddy said.

The Salesforce platform, Reddy added, gives customers the option to “go above and beyond” what Salesforce offers, with a set of baseline capabilities that customers can add to or adjust.

“[Salesforce’s platform] provides you to further strengthen your cybersecurity posture,” Reddy said. “In my opinion, it actually positions you for strength compared to a siloed tech stack and a siloed architecture.”

Reddy said IT pros have to build ecosystems that embrace agility via composable architecture, which is IT architecture that’s built from modular components for easy assembly and reassembly, to retain the ability to pivot a tech strategy in the face of internal and external factors.

“Agility is what makes the technology empower your business and empower our members and communities,” Reddy said. “Truly that platform strategy compared to the other siloed, segregated tech-stack view has tremendously helped us in multiple ways.”

What IT pros should know about the recent Salesforce breaches

Industry leaders are encouraging others to prioritize system agility and vendor onboarding.

For job huggers—people who cling to their current role even if they aren’t fully happy in that position—the answer is the former. However, job hugging is a little more nuanced than it might seem, and a little more risky for cyber pros.

 from job search platform Monster, based on a survey of 1,004 US employees, found that 48% of workers are considered job huggers. Thomas Vick, a senior regional director at management consulting company Robert Half, told IT Brew the behavior is driven by economic uncertainty, with employees 

“If you had the Great Resignation on one end of the spectrum, now we’re operating on the other end where people are a lot more cautious,” Vick said.

What does that have to do with cybersecurity?

 Job huggers may seem like an obvious issue for HR professionals and managers who want more 

 out of their teams, but some cybersecurity professionals believe the growing trend may also lead to a rise in 

. Ivanti CSO Daniel Spicer told IT Brew a disengaged employee does the “bare minimum” at their job…and for many, that doesn’t include cybersecurity best practices.

“They’re more likely to fall for a phishing email,” Spicer said. “They’re more likely to consider or accept an offer to share credentials or access to a third-party for ransomware.”

Other risky behaviors from unenthusiastic employees include being less likely to report security issues right away or paying less attention to software patches, according to Spicer.

“The weakest part of any security program is still people, and disengaged people are just that much weaker of the link,” he said.

Rajan Koo, CTO of insider risk management company DTEX, said that, when interviewed after an incident, malicious insiders often felt professionally stagnant or disengaged.

“Just because somebody is disgruntled, just because they’re stuck in their job and they’re not moving to another job, doesn’t necessarily mean they’re going to be a malicious insider,” Koo said. “But it is often a precursor for those that do become malicious insiders.”

, when employees and employers have a “positive mutual reliance” on one another, as especially relevant in the job-hugging era.

“They’re not happy in their current job and a lot of the time, that disgruntlement increases and that loyalty towards the company decreases and…it can be a recipe and a precursor for a range of things, whether that be non-malicious or malicious types of insiders,” said Koo.

Vick told IT Brew that job huggers can be hard to identify “if you’re not having regular communication as to what the career goals of that individual are” or what they want to learn.

What should a cybersecurity expert do if they suspect job huggers are present in their workforce? Spicer told IT Brew they could start by looking at employee engagement surveys within their organization, something he pays a lot of attention to. An IT Brew poll of 201 readers found that over one-third (35%) of professionals use engagement surveys in some capacity to gauge insider threats within their organization. The remaining two-thirds (65%) said they either don’t review or care for these workplace surveys or don’t use them to determine potential insider threats.

“Obviously, any good engagement survey doesn’t out an individual, but if I see a weakness in a particular department…that’s something that I need to have a conversation with my peers,” he said.

Koo added that when organizations detect a disengaged employee, that doesn’t automatically mean they should give them the boot. Instead, he suggests that companies spend time reengaging that employee.

“That’s the right time to be even more loyal to that individual, especially if they’re somebody who you feel is doing their job.”

Laptop with a manager messaging an employee "how are you feeling?" with a cursor hovering over a happy emoji and sad emoji

‘Job huggers’ are a new cybersecurity problem

One CSO says disengaged employees are more likely to fall for phishing emails and report security issues too late.

Eoin Higgins

The video game industry is the biggest entertainment sector in the world. For IT workers in video games, whether developers, security professionals, or others, that success means challenges and hard work.

Software development is going through changes, Chris Anley, a chief scientist with research firm NCC Group, told IT Brew, and the gaming industry is no different. Supply-chain issues plague software, and security is always top of mind. Meanwhile, a demanding user base wants top performance and seamless experiences.

“If you’re writing games, you’re trying to get the most performance out of the hardware you possibly can, you’re trying to provide the richest experience for your users,” Anley said.

The user base is demanding. Fastly CTO Artur Bergman noted that’s a part of the incentives of the industry.

“Gamers are more technical and more verbal when things don’t work than most people,” Bergman said. “The patience for slow downloads and for any kind of errors is much lower.”

Slower download rates—a complaint his company encounters as part of providing software services for game developers—are of particular concern. People aren’t willing to wait around when downloading to play, and it’s a challenge that must be anticipated and dealt with.

And those traffic demands can be spiky, correlating to releases: “It behaves much more like a sports live event than it does normal traffic,” Bergman said. In September, 

, including Nintendo, PlayStation, Xbox, and Steam, due to demand.

Games are getting larger, especially when it comes to blockbusters, also known as AAA games. In addition to being heavy on the download side, they are particularly expensive to develop—2020’s 

 to make. The cost and time to produce new IP presents a risk as well; if a game isn’t financially successful, then the production is a sunk cost. Kevin Janzen, CEO of Globant’s gaming and ed. tech AI studio, told IT Brew that all adds to the pressure for staff, especially in the post-Covid sales landscape.

“There’s been this situation with so many companies having to rethink their plans, and so many others being acquired by larger studios that can’t afford the risk of making a game that doesn’t perform according to expectations, and that’s still not meaning bankruptcy,” Janzen said. “That has caused a state of uncertainty for the professional IT person.”

Making production more cost-effective will help to reduce studio dependency on just one project, Janzen said. Consumers don’t buy as many new games, meaning that staying profitable often requires delivering new experiences and good gameplay within existing properties. In order to stay viable and profitable—and maybe to develop the next 

—companies often turn to overworking their employees to keep up with competitors, often accelerating the demand during “crunch time” before a game 

. Janzen doesn’t feel that’s necessary, though.

“It’s not necessarily working harder or more hours, it’s trying to work more efficiently and trying to think, ‘How can we make sure that we have a good game that satisfies the expectation of consumers without necessarily increasing the expense of game development?’” Janzen said, adding, “It means to think differently and try to understand, how can we offset that risk?”

A retro video game controller photographed in front of an orange background

Video game industry IT full of challenges, user base concerns

Game CTO tells IT Brew the industry needs to “think differently.”

Have you ever been tempted to spend less than $1,000 on satellite equipment—just so you can show how much sensitive data can be easily accessed?

Computer scientists from the University of California, San Diego, and the University of Maryland answered “yes” to that question. In a 

 published Oct. 13, they wrote that they can use satellites to access large amounts of sensitive and unencrypted traffic from a variety of sectors, including the telecommunication, retail, and even the military.

The researchers focused their study on geostationary (GEO) satellites, which orbit the Earth’s equator, receiving and amplifying signals from the ground. Hardware used to conduct the study included a Ku-band satellite dish, a low-noise block downconverter to amplify weak signals, and a dish motor to enable automated movement for tracking purposes, among other materials. In total, the equipment ran the researchers just under $700, or roughly what you’d pay to rent a one-bedroom apartment in Wichita, Kansas.

With their makeshift setup, the researchers set up base on the roof of a university building in San Diego, where they performed a “broad scan of IP traffic on 39 GEO satellites

From these scans, researchers said they saw “unencrypted cellular backhaul traffic from multiple telecommunications providers,” including KPU Telecommunications and AT&T Mexico. While listening to a nine-hour recording of raw data streams, they added, they identified three satellite beams that carried unencrypted T-Mobile traffic, and observed close to 3,000 user phone numbers from metadata. Neither KPU, AT&T Mexico, nor T-Mobile responded to IT Brew’s request for comment on the findings.

Telecommunications providers weren’t the only ones with exposed traffic. Researchers also noted unencrypted traffic from US-owned sea vessels and organizations within the Mexican government.

On the corporation side, researchers identified unencrypted Walmart Mexico internal system traffic, which contained private data, including encrypted internal corporate emails, inventory records, and logins to the company’s inventory management system. Walmart Mexico did not respond to IT Brew’s request for comment by the time of publication.

In total, 50% of GEO links observed in the study contained cleartext IP traffic.

Researchers reached out to affected parties to disclose their findings from the study, and several remedies have been deployed to address vulnerabilities. Based on their findings, they concluded that there is a “clear mismatch” between satellite customers’s expectations of data security and the security that is actually in place.

“Cell phone traffic is carefully encrypted at the radio layer between phone and tower to protect it against local eavesdroppers,” the researchers wrote. “It is shocking to discover that these private conversations were then broadcast to large portions of the continent, and that these security issues were not limited to isolated mistakes.”

The researchers say there’s no way to determine if someone has set up a dish to secretly listen to traffic. However, end users can use a VPN to encrypt network traffic they generate, as well as end-to-end encrypted apps for voice and messaging communications. Organizations should treat their satellite communication links like “unsecured and public wireless networks,” according to the researchers, who also suggest companies should also practice strong encryption.

“Encryption should be used at every layer as defense-in-depth protection against individual failures,” the researchers said. “Treat encryption as mandatory, not an add‑on.”

It takes less than $1k to access unencrypted satellite data: study

Researchers from the University of California, San Diego, and the University of Maryland say 50% of GEO links observed in their study had cleartext IP traffic.