A Review of the Best News of the Week on Cybersecurity Management & Strategy

DARPA to Bring its Smart Ballot Boxes to DEF CON for Hacking (Dark Reading, Aug 01 2019)
The agency this week will share the source code and hardware specifications for the secure voting system prototypes.

What We Can Learn from the Capital One Hack (Krebs on Security, Aug 02 2019)
“a former Amazon employee was arrested and charged with stealing more than 100 million consumer applications for credit from Capital One. Since then, many have speculated the breach was perhaps the result of a previously unknown “zero-day” flaw, or an “insider” attack in which the accused took advantage of access surreptitiously obtained from her former employer. But new information indicates the methods she deployed have been well understood for years.”

Cloudflare Boots 8chan as a Customer (VICE, Aug 04 2019)
Cloudflare’s move comes after multiple mass shooters have posted so-called manifestos to the anonymous message board.

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Cisco pays $8.6 million for selling surveillance system it knew was vulnerable (Ars Technica, Aug 01 2019)
Whistleblower said Cisco waited more than 4 years to fix serious flaw.

Barr says the US needs encryption backdoors to prevent “going dark.” Um, what? (Ars Technica, Aug 04 2019)
“Service providers, device manufacturers, and application developers are developing and deploying encryption that can only be decrypted by the end user or customer, and they are refusing to provide technology that allows for lawful access by law enforcement agencies in appropriate circumstances,” Barr proclaimed.

The Equifax Settlement Is a Cruel Joke (VICE, Aug 02 2019)
Experts say the FTC dramatically underestimated the public’s anger over repeated privacy violations.

One Million Bank Phone Calls Found in Exposed Server (VICE, Aug 01 2019)
The calls contain employees from Bank of Cardiff, based in California, talking to potential customers about business loans and other sensitive conversations.

DOJ Says Capital One Mega Breach Suspect Could Face More Charges—Did She Hack Multiple Companies? (Forbes, Jul 30 2019)
The alleged hacker behind the mega bank breach may have also accessed data from a slew of other organizations. They include one of the world’s biggest telecom providers, an Ohio government body and a major U.S. university, according to Slack messages sent by the accused and seen by Forbes.

RIP Hacker Hoodies? Competition Calls for Better Cybersecurity Art (PCMag, Aug 01 2019)
Got a creative idea on how to visualize cyber conflict, hacking, and privacy? A new contest wants your submission. ‘There is a massive opportunity to improve the ways in which cybersecurity is communicated, taught, and visualized,’ says the contest’s sponsors.

70% of Orgs Will Use Security-as-a-Service by 2021 (Infosecurity Magazine, Aug 02 2019)
Survey suggests more orgs turning to cloud-based security services

Resource Headaches Top Security Pros’ Challenges (Infosecurity Magazine, Aug 01 2019)
IISP study finds people are a much bigger problem than process or technology

Space agency uses Raspberry Pi to solve satellite encryption puzzle (Naked Security – Sophos, Aug 02 2019)
The European Space Agency thinks it’s found a cheaper way to control a small module – and it’s built around a tiny Raspberry Pi Zero.

Five Eyes nations demand access to encrypted messaging (Naked Security – Sophos, Aug 01 2019)
The alliance wants tech companies to build backdoor access to users’ encrypted data, by force if necessary.

Economics of Ransomware – To Pay Or Not To Pay? (SecurityWeek, Aug 01 2019)
“At the end of the day, I encourage businesses and organizations of all sizes to leave the moral judgments regarding ransomware to the government. Leave the “fight” to the companies that are paid to fight, that are equipped to fight. Just pay. Just pay and go on with your life.”

CyberRisk Alliance Acquires SC Media (SC Magazine, Aug 05 2019)
CyberRisk Alliance (“CRA”), a business intelligence company serving the cybersecurity and information risk management marketplace, has acquired SC Media, a digital information and event company serving cybersecurity executives and other business professionals, from Haymarket Media, Inc.

A dismal industry: The unsustainable burden of cybersecurity (ZDNet, Aug 02 2019)
Cybersecurity spending is the fastest-growing segment in IT budgets, but it provides no productivity gains or protection against more advanced exploits.

Regulating International Trade in Commercial Spyware (Schneier on Security, Aug 05 2019)
“Siena Anstis, Ronald J. Deibert, and John Scott-Railton of Citizen Lab published an editorial calling for regulating the international trade in commercial surveillance systems until we can figure out how to curb human rights abuses.”

Microsoft sets up isolated environment for bug hunters to test attacks against Azure (Help Net Security, Aug 06 2019)
Microsoft has some very good news for bug hunters: not only has the company doubled the top bounty reward for vulnerabilities discovered in its Azure cloud computing service, but has also created an isolated testing environment that will allow researchers to try to exploit them.

Only 32% of government organizations consider a cloud-first strategy (Help Net Security, Aug 06 2019)
only 32% of government organizations would consider implementing a cloud-first strategy, and only 20% would consider becoming 100% cloud. The main reason they cited is lack of resources: 92% of IT teams didn’t receive a budget increase for cloud security in 2019, and 50% of them say they have no financial support when it comes to dealing with cloud security issues.

Slack Unveils New Enterprise Security Tools (SecurityWeek, Aug 06 2019)
Some of the new features focus on providing control over which users and which devices can access Slack. Administrators can enable an additional layer of authentication for the Slack mobile app, requiring users to authenticate via Face ID, Touch ID or one-time passwords after they log in.