From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

IT Brew

Tom McKay

itbrew.com

Graphic of gravestones in descending height order

Scam obituary sites draw enterprise traffic, research finds

Obituary sites that currently scam users into installing push notifications and pop-ups could be a vehicle for malware.

Amanda Florian

Threat actors in China becoming ‘more brazen,’ NSA says 

Dave Luber of the NSA told IT Brew new incidents tied to Volt Typhoon are unfolding every day based on “industry and incident response reporting.”

Billy Hurley

HSB adds cyber protections to automotive coverage

The insurance provider sees the car a lot like a computer—both can be hacked.

A shield with a checkmark inside icon denoting cybersecurity

Cybersecurity

Brianna Monsanto

That 65-inch smart TV in your home can be more dangerous than you think.

 from Bitdefender and Netgear, which found that the average smart home receives at least 29 attacks per day via connected devices. Streaming devices and TVs were the most vulnerable connected devices, accounting for 25.9% and 21.3% respectively of exposed devices examined by the two security companies. The report is based on threat intelligence from 6.1 million smart homes in the US, Australia, and Europe collected between January and October this year. The average smart home has 22 connected devices, according to the report.

High port scanning attacks, which occur when cybercriminals send packets to ports to determine server vulnerabilities, were the most common type of attack in the report’s analysis of 13 billion security events. Bogdan Botezatu, senior director of threat research and reporting at Bitdefender, told IT Brew that these attacks are used to determine what device they can target and how it could be compromised.

“They will be able to identify devices this way, and they will be able to identify vulnerable services running on these devices,” Botezatu said. “If they want to exploit the device, they first need to understand what they’re dealing with.”

 Botezatu told IT Brew that smart consumer devices have been finding their way into enterprises, but not all companies will have the manpower or the knowledge to know how to securely connect, for example, the new smart fridge in their office.

“They will hook the fridge up to the first network that they own and they will not even consider the fact that that is improper behavior,” he said.

As a result, seemingly innocuous gadgets—smart plant pots, smart TVs, and more—have the potential to expose corporate networks if a vulnerability is exploited, he said.

“They’re nice until somebody stumbles upon a vulnerability, and all of a sudden, they pivot to the corporate network through a small plant pot,” Botezatu said, adding that the predicament isn’t as outlandish as it sounds. In 2017, an unnamed North American casino was 

 after malicious actors exploited a vulnerability in a smart thermometer in a fish tank located in its lobby.

 Nate Swanner, a program manager, longtime tech journalist, and iOS developer, said companies should “minimize” their use of connected devices by not connecting them to corporate networks.

“Nobody really needs to send their preferred coffee to their Keurig from their desk,” Swanner said. “Get up and walk 20 feet.”

He added that companies should do their research on smart devices prior to buying to ensure they are meeting security requirements.

“Look up if there’s been exploits…There’s plenty of documentation on all these platforms,” Swanner said, adding that companies typically have a developer advocate who can address any concerns.

Smart devices put homes, offices at risk: report

Smart TVs and other devices can create an attack surface on corporate networks, according to a new report.

If at first you don’t succeed, prompt, prompt again.

, Cisco showed that open-weight large language models—those with their trained parameters publicly available—were especially susceptible to a chain of malicious prompts known as a multi-turn attack. Cisco used its “AI Defense” assessment tool to determine that multi-turn scenarios were two to 10 times more successful than single-turn ones at achieving a cyberattacker’s aims.

Tested threats included nefarious tasks like malicious code generation and sensitive information disclosure.

The models studied models in the research included Alibaba’s Qwen3-32B, DeepSeek’s v3.1, Google’s Gemma 3-1B-IT, Meta’s Llama 3.3-70B-Instruct, Microsoft’s Phi-4, Mistral’s Large-2, OpenAI’s GPT-OSS-20b, and Zhipu AI’s GLM 4.5-Air.

 To test the effectiveness of a single input to “jailbreak” an LLM, the group sent out 1,024 prompts. Single-turn attack success rates (ASR) averaged 13.11%, “as models can more readily detect and reject isolated adversarial inputs.”

The group’s multi-turn attack set featured 96 pre-defined malicious intents, with strategies like increasingly intense requests (known as “crescendo”); asking the model to perform personas; and rephrasing rejected prompts. Cisco’s team said it conducted 499 conversations across all models, and each exchange lasted an average of 5 to 10 turns.

According to Cisco, all models demonstrated “high susceptibility” to multi-turn attacks, with success rates (meaning vulnerability) ranging from 25.86% (Google Gemma-3-1B-IT) to 92.78% (Mistral Large-2). The average: 64.21%.

The findings, the study writers claim, expose a “dominant and unsolved pattern in AI security.” Successful prompt injections could lead to sensitive data exfiltration, fast-spreading content manipulation, and operational disruption.

) offer mechanisms for evaluating inputs, outputs, and model behavior.

While Joseph Perry, senior manager at cybersecurity consultancy MorganFranklin Cyber, still sees protection against multi-turn attacks as an unsolved problem, he considers projects like Llama Guard as a promising way forward.

In an email to IT Brew, Perry wrote that adversarial simulation, also known as 

, will be a helpful way to reveal risk—“denylisting,” or blocking malicious actions one by one, won’t work, he warned.

“In general, the solution will need to center on context awareness. That could mean deploying a monitoring model specifically trained to detect multi-turn attack patterns, incorporating more complex model cost-function analysis, or even taking a more novel or experimental approach,” he wrote.

More prompt-related vulnerabilities have been discovered recently by other researchers, including ones reportedly impacting 

In its report, Cisco recommended best practices for developers, including the creation of a strong system prompt, or ​​a set of instructions and contextual information provided to AI models before they engage with user queries. (Developers must also ensure users cannot 

 the system prompt, Cisco added.) The company also recommended monitoring “worst-case operating conditions,” taking into consideration the objectives of threat actors.

“It is still worthwhile for us to develop an open community around this, to call out the vulnerabilities and susceptibilities of these models so that it informs downstream development and later versions of models to have that in mind,” Amy Chang, AI threat research and security lead, told IT Brew. “There is an appetite out there for people to have very strong, strong baselines for safety and security in their models.”

 Cisco shows LLMs get worn down by ‘multi-turn’ prompt attacks

It’s “death by a thousand prompts,” the vendor writes in a report released this week.

Air Force veteran Frankie Sclafani considers himself lucky that his military experience translated directly to his civilian career as a cybersecurity expert.

Sclafani managed critical cyber operations for the Maryland Air National Guard, led network operations for the US Air Force, and conducted incident response and signal-intelligence collection for the National Security Agency. He’s also jumped into the private sector, where he helped secure systems at Google, Mandiant, and now the managed detection and response company Deepwatch.

Other veterans haven’t had as smooth of a professional transition. Sclafani said they may feel lost after leaving the military for civilian life and a new potential career.

“When you leave the military, a lot of people don’t tell you this, but there is a little bit of a sense of feeling lost and maybe directionless or missionless,” Sclafani told IT Brew.

He sees cybersecurity as a welcoming destination for veterans, whose years spent tracking adversaries can translate well to a cyber career with its share of threat hunting.

A security operations center (SOC)—a hub for monitoring IT infrastructure—sends alerts about potentially malicious activity. A SOC analyst often examines the findings, perhaps a phishing message or an unexpected login. Someone as familiar with following procedures as a military pro might appreciate the built-in structure found in many of these command centers, according to Sclafani. SOCs frequently have a hierarchy of tiers with specific and increasing responsibilities.

A veteran, he adds, has been trained to think like an adversary, ​​and they can potentially put themselves in the headspace of a threat actor trying to evade detection.

“Having that discipline and that structure and those procedures helps ensure we get all of the correct intelligence that we need,” Sclafani said. For an alert like a phishing email, he has seen “next-level” investigations in a SOC that include interacting with a phishing link through a sandbox environment, and reviewing executables hosted on a phishing message’s domain.

 offer perks for military veterans looking to begin a cybersecurity career, including early training options and internship opportunities.

With SkillBridge, active duty members receive their full military pay and benefits while they’re interning at a civilian company.

“While I didn’t utilize SkillBridge when I was transitioning out of the military, I wish that I did, and I wish that I knew more about it at the time I was leaving active duty,” Sclafani said.

Cybersecurity jobs are certainly in demand: CyberSeek, a provider of cybersecurity workforce data, revealed 

 cybersecurity job openings online. The veteran unemployment rate stood at 3.1% as of August 2025, according to US Department of Labor statistics—only slightly lower than the 3.5% unemployment rate in August 2024.

Sclafani said he understands how “intimidating and challenging” a new career phase can be for a military vet who has ended their service.

“It’s a scary transition. So, anything that we can do, I think, as a population, to help make that transition a little bit easier for those who decided to serve and set them up for success and good opportunities is going to be big,” he said.

A portrait of Air Force veteran Frankie Sclafani

Why vets can handle cyberthreats

 Former US Air Guard cyber operations specialist Frankie Sclafani talks about the move from the military to private IT.

Caroline Nihill

Security professionals know the only way to truly secure a computer is to encase it in concrete and dump it in the ocean. But short of that, these professionals do what they can—and that includes Philip Martin, CSO at massive crypto exchange Coinbase, who sees his job as a series of carefully considered risks.

Security practitioners, Martin told IT Brew, are here to help businesses “take calculated, knowing, understood risk in the right areas with the right risk treatment implemented around it.”

When an organization like Coinbase decides to launch an initiative that contains security risks, Martin said, “your job as a security practitioner is to figure out how we can do it safely.”

Martin added that his team seeks to “go fast and break nothing.” To ensure that, they look at solutions like automated testing to ensure that if something breaks, they know about it before a new capability or feature is released.

“It’s about going fast, understanding where the risks are in that innovation, and building mitigations for those risks if they’re to materialize,” Martin said.

Martin said supply-chain attacks are top of mind for him, especially given the 

Martin said that cybersecurity professionals have to pay a lot of attention and move carefully—especially as projects and libraries often have few “maintainers” and “don’t necessarily have the best operational hygiene on who can be a contributor, who can commit to things.”

While cryptocurrency platforms can be a prime target for attackers, defensive techniques are largely the same as those utilized by other industries.

“The difference for a company like Coinbase is we see some very sophisticated attacks across the board,” Martin said. “We are, I think, one of the larger targets out there today for bad actors. While it doesn’t change the mechanics or the attack or the defense, what changes is the likelihood of it occurring on the one side; on the other side, the seriousness with which Coinbase takes security.”

Scammers and fraudsters and threat actors, oh my! 

As with any other financial service, Coinbase users face the risk of scammers and fraudsters. To combat this, Martin’s team focuses on educating users to understand the characteristics of a scam.

Coinbase also features a 48-hour pause for transfers detected as potentially fraudulent. The customer is told their transaction is on hold, but can still go through with it by taking a scam quiz, which determines if the user is under duress or on the phone with a scammer.

“We’ve definitely seen cases where that control and others have prevented scams or malicious transfers,” Martin said. “Almost everything we’ve implemented in this regard has had a very high ROI in terms of improving customer safety and outcomes.”

If a scam does occur, and a customer transfers money off of Coinbase, there’s a record of that transaction on the blockchain. Martin shared that Coinbase will not only work with law enforcement, but other crypto exchanges if there’s a transfer as a result of a crime.

“That means we can, specifically on the threat intelligence side of the house, we can do a lot with tracking that money as it moves through a criminal ecosystem,” Martin said. “Sometimes it means that we are able to recover some of that.”

Martin added that the traceability of crypto is a feature, and one that he feels doesn’t exist in any other monetary instruments—especially as the transactions happen digitally and can be recalled.

A portrait of Coinbase Chief Security Officer Philip Martin

Coinbase CSO Philip Martin knows that security isn’t forever

Coinbase CSO Philip Martin shares how he secures one of the largest crypto exchanges in the US. 

Next time you see someone at your company with a recycle bin, maybe check their ID.

Former pen tester and red teamer Jake Williams said he once spraypainted a data-destruction company’s name on a wheeled trash can from Home Depot. From there, he went to an organization’s front door and said something to the effect of, “We’re here to shred your sensitive documents.”

Penetration testers, abbreviated to pen testers, are often hired by companies to simulate cyberattacks—and to see how well the company holds up to adversarial tactics. Red teamers like Williams serve a similar role, often looking comprehensively at a client organization’s defenses rather than focusing on specific vulnerabilities. Whatever their role, sometimes a hack requires a humble trash can, clipboard, or other, everyday object.

 low-tech here, right? But look, people are wired to want to help people. We’re wired to believe that things are as they seem,” Williams, faculty at IANS Research and VP of R&D at cybersecurity company Hunter Strategy, said, recalling his time red teaming and pen testing at Rendition Infosec, where he was CTO from 2013 to 2021.

Physical-access testers past and present spoke with IT Brew about the low tech they’ve used to gain high levels of access. Are our adversaries doing the same?

Zach Varnell, currently security consulting lead at web app pen-testing firm Asteros, seems to know where to find a Home Depot when necessary, too. On a former red-team engagement more than a decade ago, he said, a team member filled a pest-control canister with water and began spraying the grass outside, taking his time so everyone inside noticed. Moments later, the colleague went to a side door, asking to be let in. The company’s employees were hesitant, Varnell recalls—at first.

“Then he was like, ‘Well, I’m here to spray for black widows,’” he said.

While Varnell’s co-conspirator finished the fake spraying job, he left and held the door open for Varnell, who played the part of an intern. Instead of performing typical trainee tasks, though, he placed keystroke loggers (tools used to capture what someone’s typing, including passwords) into computers.

Physical attacks—“deliberate threats that involve 

”—are not extremely popular hacker tactics. After all, who doesn’t love working remotely? Cyberattacks continue to be a leading attack vector; according to a July report from the Identity Theft Resource Center (ITRC), 1,348 cyberattacks led to data breaches during H1 2025.

The ITRC calculated 34 “physical attacks”—a small amount by comparison, but a slight increase from the 33 physical attacks tallied in 

of 2024. (The report did not specify how many real-world attacks used fake pesticides.)

 Michael Welch, managing director and CISO at professional-services firm MorganFranklin Cyber, has seen organizations such as manufacturers hire red teamers to test the security of their own infrastructure and on-prem technology.

Some clients need the tests for compliance purposes, according to Welch, to meet standards like CMMC for defense contractors and HIPAA for healthcare pros, and to demonstrate proof of effective physical controls.

Physical attacks need somebody to be there, which takes resources, and may dissuade the average adversary on the other side of the world who can hack from home. Still, the red-team tests are important, Welch emphasized.

“You can’t just say, ‘Well, it’s small, so we’re going to ignore it.’ That just wouldn’t be good business sense. It’s not good risk management,” he said.

While Williams said nation-state adversaries will likely avoid physical attacks because of the high risk of getting caught, he has worked with clients who’ve discovered implanted listening devices in their environments.

As a hired pen tester, Williams has gained entry and placed small computers into open network jacks; the placement creates an endpoint on the network, which he can potentially connect to and perform malicious activity if network defenses are not in place. He has also grabbed small-form-factor computers—perhaps lacking full-disk encryption—left out in the open. Behind all the costumes, props, and impersonations, a red-team exercise is really about seeing how a company holds up on a real trash day.

“As CISO, as a network defender as well, you’re able to look and say, ‘Do my cybersecurity controls just collapse once somebody physically is inside one of our facilities?’” Williams said.

Image of a white security camera against a pink backdrop.

Recycle bins, pest-control sprayers, and other non-tech ways to breach security

 Red teamers are hired to craftily break in. Are our adversaries doing the same?

New data from DNSFilter shows that cybercriminals are stooping to a new low: targeting job seekers.

The cybersecurity company found 8,724 malicious domains containing the word “jobs,” with the overwhelming majority (86%) newly registered or observed. Meanwhile, 1,161 malicious domains contained the word “careers.”

Gregg Jones, an intelligence analyst lead at DNSFilter, told IT Brew that while it isn’t new for cybercriminals to target job seekers, the problem has been amplified by “current world conditions” that make those on the hunt for employment especially vulnerable to scams. While the US unemployment rate stood at 4.3% in August—the most recent published figure from the Bureau of Labor Statistics (BLS) due to the 

—job hiring has continued to falter. According to the BLS, US employers added 22,000 jobs in August, a sharp decline from 142,000 in the same period last year.

“​​The economy is not so great…people are struggling to find jobs, some people are struggling to keep jobs, and it’s that constant ebb and flow of ‘where’s the good sheep for the wolf to go attack?’” Jones said.

 Job seekers shouldn’t take the interest from cybercriminals personally, as malicious actors have placed targets on the backs of hiring managers, as well. In May, Arctic Wolf Labs released 

 about a spearphishing campaign hurled by threat group Venom Spider at hiring managers, with threat actors using résumés laced with malware when applying for jobs. Recruiters also have been grappling with the growing 

 scheme, which has grown in sophistication thanks to deepfake technology.

 DNSFilter suggests job seekers double-check domain names and stay away from links with “excessive hyphens or strange extensions.” Jones added that if a job offer looks too good to be true, it probably is, and said individuals can always reach out to hiring managers to verify recruitment notifications: “No one should ever chastise you for being extra careful.”

Cybercriminals have their eyes on job seekers

Job seekers can always double-check the validity of extended job offers with hiring managers, says DNSFilter Intelligence Analyst Lead Gregg Jones.

After a handful of cybersecurity incidents linked to Salesforce, including the Salesloft Drift data extortion incident and ongoing social engineering threats, industry leaders are encouraging others to prioritize system agility and careful vendor onboarding.

 found through an independent analysis that threat cluster UNC6040, a vishing-focused and financially motivated campaign, sought to compromise organizations’ Salesforce instances for data theft and extortion. Salesforce posted online warnings about the threats at the beginning of October, with the ongoing response last updated on Oct. 17.

The attempts to breach networks via vishing, according to GTIG, “have proven particularly effective in tricking employees, often with English-speaking branches of multinational corporations, into actions that grant the attackers access or lead to the sharing of sensitive credentials, ultimately facilitating the theft of organization’s Salesforce data.”

“In all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce,” GTIG wrote.

Nicole Aranda, a Salesforce senior manager for corporate communications, told IT Brew via email that, following the most recent 

 from threat actors, there is no indication that the company’s platform has been compromised, “nor is this activity related to any known vulnerability in our technology.”

“Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support,” Aranda wrote.

Justin Tolman, the digital forensic subject matter expert and evangelist for e-discovery and software company Exterro, told IT Brew that, in light of the recent Salesforce breaches, companies need to prioritize securing third-party plugins that use a company’s platform, which can be done during the vendor onboarding process.

“What happens as companies grow…and in the Internet of things era that we are in, is different things are added to their software that they don’t have necessarily direct control over,” Tolman said. “If you look at a lot of the breaches that Salesforce ‘had,’ these were through breached third-party plugins that were using the Salesforce platform to then steal information.”

Tolman added that, for professionals combatting exposure through third-party resources like plug-ins, there needs to be increased focus on vendor onboarding rather than just doing a “tech check.” Some questions Tolman suggested included: 

Does your API plug in properly, and do what it says it does?

“I do feel like as Salesforce is the owner of the ecosystem, the manager of the ecosystem, they are ultimately responsible for ensuring that the plug-ins and the third-party apps and the different things—at least if it’s officially supported by Salesforce,” Tolman said.

Shree Reddy, the CIO of PenFed Credit Union (a customer of Salesforce that uses its agentic AI solution) told IT Brew that, in light of the recent slew of cybersecurity incidents concerning Salesforce and its customers, no organization is exempt from issues concerning cybersecurity. He pointed to the Salesforce ecosystem as having multiple technologies, and therefore multiple points of threat.

“That doesn’t take away the risk associated with it. However, in Salesforce’s open architecture, [it] also enables you to embrace concepts such as zero trust…and that gives you the option to go above and beyond what the platform provides,” Reddy said.

The Salesforce platform, Reddy added, gives customers the option to “go above and beyond” what Salesforce offers, with a set of baseline capabilities that customers can add to or adjust.

“[Salesforce’s platform] provides you to further strengthen your cybersecurity posture,” Reddy said. “In my opinion, it actually positions you for strength compared to a siloed tech stack and a siloed architecture.”

Reddy said IT pros have to build ecosystems that embrace agility via composable architecture, which is IT architecture that’s built from modular components for easy assembly and reassembly, to retain the ability to pivot a tech strategy in the face of internal and external factors.

“Agility is what makes the technology empower your business and empower our members and communities,” Reddy said. “Truly that platform strategy compared to the other siloed, segregated tech-stack view has tremendously helped us in multiple ways.”