CyberWire Daily - Canadian government sites recover from the Apache Struts vulnerability. FireEye's M-Trends report is out, calling out greater sophistication in financial cybercrime. USAF accidentally exposes SF86s. Vault 7 update.
Episode Date: March 14, 2017In today's podcast, we hear about how the Apache Struts bug has bitten in Canada. FireEye sees financial cybercrime approaching state espionage exploits in sophistication. The US Air Force leaves sens...itive personal information exposed in a backup database. Investigation into WikiLeaks' Vault 7 continues. Okta files for its IPO. Ben Yelin from the UMD Center for Health and Homeland Security reviews a mobile device privacy bill. Adam Thomas from Deloitte outlines their latest cyber insurance report. And today is Patch Tuesday. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Apache struts bug bites in Canada.
FireEye sees financial cybercrime approaching state espionage exploits and sophistication.
The U.S. Air Force leaves sensitive personal information exposed in a backup database.
Investigation into WikiLeaks' Vault 7 continues.
Okta files for its IPO.
And today is Patch Tuesday.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, March 14, 2017.
The Apache Struts vulnerability we've been hearing about, it's now patched by the way,
bit two Canadian government agencies last week, Statistics Canada and the Canada Revenue Agency.
Unknown attackers hit Statistics Canada at midweek,
exploiting the bug in the open-source framework used for building web applications.
That took out Statistics Canada on the 8th and 9th.
Over the weekend, the Canada Revenue Agency took its own portal offline to remediate the Apache Struts vulnerability.
Neither Statistics Canada nor the Canada Revenue Agency believe any sensitive information was compromised.
Various vendors are expected to address the Apache Struts issue for their own products this week.
Cisco and VMware have already indicated that they're in the process of doing so.
FireEye has released its 2017 M-Trends report on attacks and vulnerabilities.
The report offers the breakdown FireEye's Mandiant unit is accustomed to providing,
discussing trends by both geographic region and economic sector.
The executive summary notes, unsurprisingly, that cyberattacks show increasing sophistication
and that such advances in complexity and effectiveness have been led by nation-state security and espionage services.
Complexity and effectiveness have been led by nation-state security and espionage services.
In the financial sector, however, criminal attackers have in many respects caught up to the point at which the criminals are difficult to distinguish from the intelligence operations.
As the report puts it, quote,
Some financial threat actors have caught up to the point where we no longer see the line separating the two.
End quote.
The Cyber Edge Group has issued a report on ransomware.
It's a look back at 2016, and it found that a third of the organizations hit by ransomware paid up to recover their data.
A bit more than half, 54%, refused to pay and recovered their data on their own.
Some 13% declined to pay and lost their data on their own. Some 13% declined to pay and lost their data. Most industry observers
advise a mix of education and regular secure backup as the best defense against ransomware.
Not all backups are necessarily equal, however. As Plixer CEO Michael Patterson observed to us,
quote, sometimes ransomware can lock up cloud-based backups that are persistently
synchronizing data.
Turning to Vault 7, the WikiLeaks dump of apparent CIA documents we've been following since last week,
there's an emerging consensus that the leaks probably came from a CIA insider.
It will be some time before investigations are complete,
and some time after that before the results are made public. But there's a new disclosed compromise of U.S. Air Force information
that might give one pause before buying too uncritically into this quite plausible explanation.
And the Air Force case also has something to teach about ransomware defenses,
since it illustrates how backups can bite back.
In this latest incident, the Air Force is reported to have inadvertently exposed
a very large set of sensitive documents,
largely SF-86 security questionnaires, that contain personal information about at least 4,000 officers.
Sure, you'll say, this is chicken feed compared to the 22 million and change similarly affected by 2014's breach of the Office of Personnel Management,
and relatively speaking, numerical chicken
feed it may be.
But the Air Force data exposure seems unusually exasperating because it's self-inflicted.
The data was exposed in a misconfigured backup database that wasn't even protected by a password.
By all means, back up your data, but heavens to Murgatroyd, don't hang them out there for
all the world to poke through.
But heavens to Murgatroyd, don't hang them out there for all the world to poke through.
It's fair to say that cyber insurance is an area undergoing rapid evolution,
as both buyers and sellers work to understand what needs to be covered and how to price it.
Deloitte & Touche recently released a report titled Demystifying Cyber Insurance Coverage.
Adam Thomas is a principal at Deloitte & Touche and one of the report's co-authors.
If you're talking to a board member who's asked their team to go look at getting cyber insurance,
who maybe doesn't fully understand all the nuance of the cyber issue, and their team goes out and gets cyber insurance, they kind of feel in maybe a false way that they're secure or they've got
some protection in place, right? But I think what we're really seeing is
there's a little bit of adjustment that's happening in the market. You know, what the
insurance companies have brought to the market over the last 70 years, companies are realizing
that on the buy side, that it's maybe not what they need. And I'll say that, you know, because
of that, the gap is widening. But at the same time, you know, as we spent time with the insurance
community and the insurers,
and particularly as we wrote this paper, they understand the market's changing, right? And
they're looking for ways they can get comfortable taking some of these newer types of coverage to
the market or potentially expanding existing policies that they have in the market. So,
for example, it's not uncommon for a customer to purchase a business interruption policy or for a customer to purchase a product liability policy.
They do that today. What they're trying to resolve is in the event I have a product liability claim
that stems from a cyber incident, is that something that gets covered under my traditional
product liability policy or is a new policy and or form of endorsement required?
You know, I think what we're going to see is the market's going to adjust in terms of
where organizations have purchased cyber insurance traditionally versus where they buy going
forward as the level of sophistication amongst the buyer and the insurance provider increases.
Where I think there's an opportunity in the market, and I think the broker community in particular is recognizing this, is the broker community can play a much more proactive role
at helping insurers and their customers really fit the right set of policies into the mix,
considering the total cost of risk management associated with the cyber problem that are
given to insurers. That's Adam Thomas from Deloitte & Touche.
You can check out the entire report, Demystifying Cyber Insurance Coverage, on Deloitte's website.
Taking a quick look at our events calendar for a couple of events worthy of your consideration.
On March 22nd, join ThreatConnect for a webinar on finding what size threat intelligence fits your enterprise.
And at the end of this month, join industry leaders in Washington, D.C. for the second
annual Billington International Cybersecurity Summit. That will be on Friday, March 30th.
You can find links to all of these on our event tracker on our website.
Google has addressed the Android vulnerabilities exposed in WikiLeaks' Vault 7 dump,
but as always, it's likely that a very large number of devices will remain unpatched indefinitely.
As observers continue to pick through Vault 7,
the emerging consensus is that the operations apparently revealed
involved highly targeted foreign intelligence collection,
as opposed to bulk domestic surveillance.
That there's so far been no
significant release of hacking tools, and that the U.S. ought to rethink vulnerability stockpiling
and disclosure policies. In industry news, one of the more anticipated IPOs of the past year and a
half has been filed. Okta, a security sector unicorn, is going public. And today, of course, is Patch Tuesday for March 2017.
Microsoft deferred last month's patch, and the industry is awaiting the word from Redmond
sometime later this afternoon. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting. Thank you. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son. But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Only on Disney+. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. Joining me once again is Ben Yellen. He's a senior law and policy analyst for the
University of Maryland Center for Health and Homeland Security. Ben, you know, we've been
talking lately, you and I, these stories coming by about people being stopped at the border,
both citizens and people who are not citizens, and having their mobile devices searched.
Well, Senator Wyden from Oregon has introduced some legislation to address this.
What do we need to know about that?
Senator Wyden has sent a letter to the new head of the Department of Homeland Security, John Kelly,
talking about his intention to introduce legislation to combat this problem.
This legislation would require that Customs and Border Patrol agents have probable cause or obtain a warrant based on probable cause to search digital devices.
What we've seen are there have been instances at our border crossings where citizens and non-citizens are being asked not only to show their physical device, but to decrypt their phone, to enter their passcode.
And this is potentially a major constitutional
violation. Of course, normally we know under the Fourth Amendment, you have to have a warrant based
on probable cause to search somebody's personal devices. There is this warrant exception when it
comes to border searches, because this is sort of a special government need. We want to make sure
that people coming into the country aren't doing anything dangerous. But what Senator Wyden and others have argued, and this also includes advocacy
groups like the Electronic Frontier Foundation, is that the special needs exception for border
searches is far narrower in scope than what it's being used for. It's being used to gain a wealth of data and information from
devices by having people decrypt them, when it was intended to just make sure that people
weren't bringing dangerous materials into the country. Obviously, the prospects for legislation
are very poor. Senator Wyden is in the minority in the Senate. And, you know, he can frequently
be a bit of a lonely soul on
electronic privacy issues, maybe he and a couple of other senators. So this is more about trying
to raise awareness for the issue, I think, than any likeliness of having legislation passed.
You know, I saw earlier this week, I saw someone made the analogy that as it stands right now,
the Border Patrol people consider your phone to basically be the same as your suitcase, you know, that they are entitled to go in and search around on it.
But it struck me that, you know, just as if I have a filing cabinet at my house full of my
personal papers, a warrant is required to come in and go through that filing cabinet. Well,
in the modern world, what if I have that filing cabinet on Dropbox and I have a copy of Dropbox
on my phone? You know, my personal filing cabinet has been extended to my phone.
And well, the Border Patrol shouldn't be able to go through my filing cabinet.
Absolutely.
And I mean, it's the exact same information that they'd be seeking in some sort of physical
search.
Obviously, the metaphor isn't perfect.
There isn't a perfect analog for the type of search at issue here.
But, you know, you could run into situations
where let's say the fbi or some some other intelligence agency thought that they could
get incriminating information from someone they didn't have probable cause to achieve it by legal
means waited for the person to leave the country and said all right this border exception applies
we can look at your device we can force you to decrypt it.
We can force you to enter your passcode.
And we can obtain all of that information.
I mean, I think it's potentially a major constitutional problem.
Ben Yellen, as always, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.