A Review of the Best News of the Week on Cybersecurity Management & Strategy

Black Hat Wrap-Up: IoT and Hardware Vulnerabilities Take the Spotlight (SecurityWeek, Aug 10 2020)
The first entirely virtual edition of the Black Hat cybersecurity conference took place last week and researchers from tens of organizations presented the results of their work from the past year.

USA decides to cleanse local networks of anything Chinese under new five-point national data security plan (The Register, Aug 10 2020)
‘Clean Network’ initiative bans use of Chinese clouds, names Alibaba, Baidu, and Tencent as compromised

DEF CON 2020 Wrap-Up: Hacking Phones, Cars and Satellites (SecurityWeek, Aug 11 2020)
Tens of researchers showcased their work last week at the DEF CON hacking conference. They presented research on hacking phones, cars, satellite communications, traffic lights, smart home devices, printers, and popular software services, among many others


Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~16,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn


I’m Open Sourcing the Have I Been Pwned Code Base (Troy Hunt, Aug 07 2020)
“Let me just cut straight to it: I’m going to open source the Have I Been Pwned code base. The decision has been a while coming and it took a failed M&A process to get here, but the code will be turned over to the public for the betterment of the project and frankly, for the betterment of everyone who uses it. Let me explain why and how.”

SANS Institute Says 28,000 User Records Exposed in Email Breach (SecurityWeek, Aug 12 2020)
The SANS Institute has disclosed a security incident which resulted in 28,000 records of personally identifiable information (PII) being forwarded to an unknown email address.

Black Hat USA 2020 Shines Spotlight on the Mental Challenges of Cybersecurity (Dark Reading, Aug 13 2020)
Infosec practitioners face a variety of mental struggles in areas such as awareness training, problem solving, or general mental health. Several sessions at Black Hat USA 2020 highlighted these challenges and how to overcome them.

UAE Hack and Leak Operations (Schneier on Security, Aug 13 2020)
Four hack-and-leak operations in U.S. politics between 2016 and 2019, publicly attributed to the United Arab Emirates (UAE), Qatar, and Saudi Arabia, should be seen as the “simulation of scandal” ­– deliberate attempts to direct moral judgement against their target. Although “hacking” tools enable easy access to secret information, they are a double-edged sword, as their discovery means the scandal becomes about the hack itself, not about the hacked information.

Mozilla Cybersecurity Staff Hit by Layoffs (SecurityWeek, Aug 12 2020)
Mitchell Baker, the CEO of Mozilla Corporation and chairwoman of the Mozilla Foundation, announced on Tuesday that the company has laid off roughly 250 people, and former employees say the list includes cybersecurity staff.

All Of My TikTok Followers Are Fake (VICE, Aug 13 2020)
By buying followers, likes, and views, our own shoddy TikTok video climbed up the hashtag rankings.

Vulnerability Prioritization: Are You Getting It Right? (Dark Reading, Aug 10 2020)
Developers must find a way to zero in on the security vulns that present the most risk and quickly address them without slowing down the pace of development.

The precision of security undermined by a failure to correlate (Help Net Security, Aug 10 2020)
If Paul Newman’s Cool Hand Luke character were to address the security industry, his opening line would likely be: “What we have here is a failure to correlate.” Today, one of the major deficiencies affecting security is not a lack of data or even an aggregation of data, but the central problem is one of correlating data and connecting the dots to find otherwise hidden traces of attack activity.

Zero-Trust Security 101 (Dark Reading, Aug 11 2020)
What are the tenets and fundamental spirit of zero-trust architecture — without the marketing speak?

Hacking It as a CISO: Advice for Security Leadership (Dark Reading, Aug 10 2020)
Let me just cut straight to it: I’m going to open source the Have I Been Pwned code base. The decision has been a while coming and it took a failed M&A process to get here, but the code will be turned over to the public for the betterment of the project and frankly, for the betterment of everyone who uses it. Let me explain why and how.

Belarus Has Shut Down the Internet Amid a Controversial Election (Wired, Aug 10 2020)
Human rights organizations have blamed the Belarusian government for widespread outages.

Is Edtech the Greatest APT? (Dark Reading, Aug 11 2020)
Educational technology is critical but can come at huge costs to student and teacher privacy and security. Are those costs too high?

Incident Response Exercises Not Taken Seriously by Business Leaders (Infosecurity Magazine, Aug 12 2020)
Business efforts on incident response exercises do not show suitable preparedness

Google Awards $10,000 for Remote Code Execution Vulnerability in Chrome (SecurityWeek, Aug 12 2020)
Google this week announced that an update for Chrome 84 includes 15 security patches, including for a serious vulnerability for which the tech giant awarded a $10,000 bug bounty.

Why & Where You Should You Plant Your Flag (Krebs on Security, Aug 12 2020)
Several stories here have highlighted the importance of creating accounts online tied to your various identity, financial and communications services before identity thieves do it for you. This post examines some of the key places where everyone should plant their virtual flags.