May we ask for your support? As a finalist for this year's Maryland Cybersecurity Industry Resource Award, we're also up for the People's Choice Award. If you're read or listen to the CyberWire, we'd appreciate your support. You can vote here through March 22 (and you don't need to be in Maryland, or even in the US, to do so). Thanks as always for reading and listening.
Statistics Canada, Canada Revenue Agency taken offline. Consequences of Vault 7 leaks. US Air Force exposed sensitive data in unprotected backup. Okta files its IPO. FireEye's attack trends report is out.
The recently disclosed Apache Struts vulnerability affected Canadian government services last week. Unknown attackers exploited the bug against Statistics Canada at midweek. The Canada Revenue Agency, not itself attacked, was taken offline over the weekend to remediate the same vulnerability. Neither agency believes sensitive information was compromised.
FireEye has released its 2017 M-Trends report on attacks and vulnerabilities.
Unicorn Okta files its long-anticipated IPO.
Google has addressed the Android vulnerabilities exposed in WikiLeaks' Vault 7, but many devices are likely to remain unpatched indefinitely. As observers continue to pick through Vault 7, the emerging consensus is that the operations apparently revealed involved highly targeted foreign intelligence collection (as opposed to bulk domestic surveillance), that there's so far been no significant release of hacking tools, and that the US should rethink vulnerability stockpiling and disclosure policies. (But on this last conclusion, see the debate described here.)
There's also an emerging consensus that the leaks probably came from a CIA insider, although a newly disclosed US Air Force compromise may give one pause before buying fully into this explanation. The Air Force is reported to have inadvertently exposed a very large set of sensitive documents (largely SF86 security questionnaires) containing sensitive personal information about at least 4000 officers. This may be chickenfeed compared to the OPM breach, but it's also self-inflicted. By all means backup your data, but, heavens to Murgatroyd, don't leave them out there in a misconfigured database without so much as the figleaf of a password for security decency.
Today's issue includes events affecting Canada, European Union, India, Russia, Singapore, United Kingdom, and United States.
In today's podcast we hear from our partners at the University of Maryland's Center for Health and Homeland Security, as Ben Yelin discusses a proposed mobile device privacy bill. We will also be speaking with a guest, Adam Thomas from Deloitte, co-author of the report "Demystifying Cyber Insurance Coverage." (He does some demystifying for us.)
Special editions are also up. See Perspectives, Pitches, and Predictions from RSA, and an overview of artificial intelligence as it's applied to security. And take a look at Cylance's video (taken in partnership with the CyberWire): opinions from the conference floor.