[Weekend Briefing] Security summer camps on the west coast

By Dain Oh, The Readable
Aug. 13, 2023 8:13AM GMT-7

“Weekend Briefing” is a weekly newsletter that is sent to The Readable’s subscribers every Friday. Journalists for The Readable select important news stories from the previous week. Topics encompass privacy, cybercrime, and policy development in cybersecurity. There are no costs involved with a subscription, and some content, such as industrial reports, is only available to those who subscribe to our newsletters.

Los Angeles, CA ― Hello! This is Dain Oh reporting from Los Angeles. For the last four days, The Readable has covered the three major cybersecurity events that took place on the west coast of the United States: USENIX, Black Hat, and DEF CON. During our journey, our team has had one-on-one interviews with dozens of security vendors and experts, listening to what they do to make the world a safer place, while publishing ten news articles so far from keynote and track sessions at the conferences. Watching and recording these security summer camps, we have learned a lot as much as we are suffering from sleep deprivation at this point. (No worries, readers. We will sleep like a rock once we go back home.) The stories will continue being published onto our platform next week, so do not miss them. With this briefing, have a wonderful Sunday and a great start to your week!

1. When love turns into a monster: researchers shed light on IoT-enabled abuse by the intimate

Designed by Areum Hwang, The Readable

Anaheim, CA ― USENIX ― While cutting-edge technology, such as smart devices installed in modern homes, exacerbates issues of interpersonal abuse, security experts have introduced a framework aimed at swiftly enhancing our understanding of the privacy violations stemming from internet-of-things (IoT) devices.

During the 32nd USENIX Security Symposium, researcher Sophie Stephenson from the University of Wisconsin-Madison unveiled her team’s findings. Their work, detailed in a research paper titled “Abuse Vector: A Framework for Conceptualizing IoT-Enabled Interpersonal Abuse,” delved into extensive instances of interpersonal abuse linked to IoT devices. By doing so, they constructed four comprehensive vectors that encompass various forms of abuse associated with these technological gadgets. READ MORE

2. Implement AI assistants as a first defense against robocalls, researcher suggests

Designed by Areum Hwang, The Readable

Anaheim, CA ― USENIX ― A security researcher suggested a practical solution on Wednesday for shielding users from the nuisance of robocalls. By employing an artificial intelligence assistant capable of assessing human-like interactions, individuals could effectively fortify themselves against these intrusive calls.

Addressing an audience of global researchers at the 32nd USENIX Security Symposium, Sharbani Pandit, holding a doctorate from the Georgia Institute of Technology, put forth a compelling proposition. She introduced an interactive virtual assistant called "RoboHalt" as a potential solution for users looking to fend off robocalls. This innovative assistant aims to counter calls from numbers that aren't even covered by the existing call blocking applications' blocklists. READ MORE

3. Viasat, NSA urge building partnership, sharing their experience amid satellite hack

Mark Colaluca, Vice President and Chief Information Security Officer at Viasat, left, is sharing the company’s experience in February 2022 along with Kristina Walter, who was the former director of the National Security Agency’s Cybersecurity Collaboration Center (CCC) during the KA-SAT hacking. The satellite sabotage resulted in power outages for thousands of Ukrainians. Photo by Dain Oh, The Readable

Las Vegas, NV ― Black Hat ― Forging a partnership between commercial and government entities proves to be pivotal in establishing an effective incident response process, as emphasized by the key players who collaborated to mitigate the unprecedented satellite sabotage that targeted Ukraine in 2022.

During the 26th Black Hat USA event on Thursday, Mark Colaluca, Vice President and Chief Information Security Officer at Viasat, shed light on a common oversight. “For many organizations, incident response is the most neglected muscle group,” Colaluca stated. He also offered insights into the cyberattacks against KA-SAT and expanded on the intricate dynamics at play, explaining, “Most of what we experienced was a complicated ecosystem which involved distributors, salespeople, and satellite people on servers, with many of these people being in different countries and facing a language barrier, making for a chaotic scene in the beginning.” READ MORE

4. US national cyber director stresses the importance of human element in security

The acting director of the Office of the National Cyber Director, Kemba Walden, on the right, is delivering a keynote speech in front of international security professionals at the Black Hat USA on Thursday. Photo by Kuksung Nam, The Readable

Las Vegas, NV ― Black Hat ― On Thursday, the White House’s acting national cyber director emphasized a crucial point: humans play a vital role in the realm of cyberspace. She also noted the significance of having a robust cyber workforce, adding that the absence of such a workforce poses a significant challenge to the nation’s security.

Kemba Walden, who has been serving as the acting director of the Office of the National Cyber Director since February, recently took the stage as a keynote speaker at the Black Hat USA event. In her address, she spoke to an audience of international security professionals about the groundbreaking National Cyber Workforce and Education Strategy (NCWES) released on July 31. This strategy marks a significant milestone as the first of its kind in this domain.

“We found that people are so integral to cyberspace that we had to do a whole separate strategy,” said Walden. “Some hundreds of thousands of cyber jobs are unfilled and that is a national security problem in my mind.” READ MORE

5. Disclosing security flaws could damage white hat hackers’ creativity, researcher urges

Ali Ahmed, an assistant professor in the Department of Information Systems at the College of Business, University of Wisconsin-Eau Claire, is presenting his ongoing research at the Black Hat conference on Thursday. Photo by Kuksung Nam, The Readable

Las Vegas, NV ― Black Hat ― A security academic raised an important concern on Thursday, highlighting that an organization’s choice to publicly disclose resolved vulnerabilities might inadvertently hinder ethical hackers’ capacity to uncover previously unknown security weaknesses.

At the Black Hat conference, Ali Ahmed, an assistant professor in the Department of Information Systems at the College of Business, University of Wisconsin-Eau Claire, unveiled his ongoing research. This study delves into the intricate connection between bug bounty programs and the behaviors exhibited by white hat hackers participating in these initiatives. READ MORE

6. Psychological safety leads to trust by design, GitHub security strategist says

John Swanson, the Security Strategy Director at GitHub, is sharing his experience about the 2FA enrollment campaign that he led across the GitHub community. Photo by Dain Oh, The Readable

Las Vegas, NV ― Black Hat ― According to insights from a security strategist at GitHub on Thursday, the success of a company’s endeavor to implement two-factor authentication (2FA) for its employees hinges on the concept of psychological safety.

During a briefing session held at Black Hat, John Swanson, the Security Strategy Director at GitHub, delved into the remarkable journey of the world’s largest open-source community, where millions of developers were guided toward adopting two-factor authentication. GitHub’s initiative was driven by the goal of enhancing global safety by safeguarding developers and fortifying the software supply chain right from its inception at the hands of developers. READ MORE

7. Only 22% of organizations run matured threat intelligence, malware detection leader reveals

Jan Miller, CTO of Threat Analysis at OPSWAT

Las Vegas, NV ― Black Hat ― A prominent malware detection company revealed on Wednesday that the threat intelligence industry is still in its initial phase, underscoring the need for at least 62% of global organizations to channel investments into essential tools and processes.

As outlined in OPSWAT's report titled “2023 Threat Intelligence Trends,” a mere 22% of organizations have managed to establish fully developed threat intelligence programs. This glaring statistic underscores the discrepancy between implementation and the pressing demands of the landscape. The survey outcomes reveal a striking 68% of entities grappling with the challenges of identifying both familiar and unfamiliar malware strains. READ MORE

8. Opinion: Why security awareness training is mostly pointless

Mark Stamford, Founder and CEO at OccamSec

As a cybersecurity professional who has conducted numerous risk assessments and penetration tests, I have seen firsthand how vulnerable organizations and individuals remain despite investments in security awareness training. During social engineering assessments, employees at all levels routinely provide account access, sensitive data, and system credentials that enable attackers to bypass controls. These real-world experiences, combined with an understanding of human psychology and the fallibility of technology, have led me to conclude that traditional security awareness training provides little more than a false sense of security for most.

For example, in 2019, sophisticated phishing emails were used to steal over $4 million from a manufacturing company, bypassing their annual security awareness training. Municipal governments, hospitals, and schools have also been victims of phishing that led to ransomware infections and theft of personally identifiable information, with awareness programs failing to prevent these incidents. A well-known anecdote from Kevin Mitnick's book "The Art of Deception" describes how he obtained passwords and access to an organization during a social engineering audit despite the awareness efforts of the organization being tested beforehand. READ MORE

Upcoming events…

W.Media: Korea Cloud & Datacenter Convention 2023 (31 August, South Korea)

Click on image to visit the website.

The Readable is a strategic partner with W.Media regarding this event. As part of the partnership, The Readable provides its readers with complimentary tickets. Send us an email to receive promotional codes.


The cover image of this article was designed by Sangseon Kim.

Dain Oh is a distinguished journalist based in South Korea, recognized for her exceptional contributions to the field. As the founder and editor-in-chief of The Readable, she has demonstrated her expertise in leading media outlets to success. Prior to establishing The Readable, Dain was a journalist for The Electronic Times, a prestigious IT newspaper in Korea. During her tenure, she extensively covered the cybersecurity industry, delivering groundbreaking reports. Her work included exclusive stories, such as the revelation of incident response information sharing by the National Intelligence Service. These accomplishments led to her receiving the Journalist of the Year Award in 2021 by the Korea Institute of Information Security and Cryptology, a well-deserved accolade bestowed upon her through a unanimous decision. Dain has been invited to speak at several global conferences, including the APEC Women in STEM Principles and Actions, which was funded by the U.S. State Department. Additionally, she is an active member of the Asian American Journalists Association, further exhibiting her commitment to journalism.