As a finalist for this year's Maryland Cybersecurity Industry Resource Award, we're also up for the People's Choice Award, and we'd appreciate your support. You can vote here through March 22 (you don't need to be in Maryland, or even in the US, to do so). Thanks to all who've voted for us so far (and a special invitation to all the nice people we met at Cyber 9/12: we'd like your vote).
Results from Cyber 9/12--the Atlantic Council's cyber policy competition. Lessons on using criminals as subcontractors. Vault 7 and (sort of) responsible disclosure. IoT as Skynet.
Amid the speculation about Vault 7's source in unknown, unspecified contractors, some observers are drawing a similar lesson about the Yahoo! breach: the attribution that resulted in four indictments is unlikely to have occurred if Russian intelligence services hadn't sought to rely on the services of third-party criminals. The criminals, especially the car buff arrested in Canada, got sloppy and got them all caught.
To return to Vault 7, Cisco has been poring over the leaks and has issued warnings about a flaw that figures in those leaks: it affects some 318 switch models. They're working on a patch, but in the meantime they offer mitigations that users should take seriously.
WikiLeaks has offered to share vulnerabilities from Vault 7 with software vendors, but it has some conditions it says industry has been disappointingly slow to take them up on. It's unclear exactly what those conditions are (they're being disclosed directly to the companies in WikiLeaks' communication with them) but they appear to included an undertaking to fix the vulnerabilities in question within ninety days of disclosure. A few outfits (notably Mozilla) seem to have agreed to play ball, but others (notably Google) have done nothing beyond acknowledging receipt of WikiLeaks' offer. WikiLeaks has indicated the consequences of failure to agree to terms by suggesting that uncooperative companies are dragging their feet because of connections with the US Intelligence Community.
Bruce Schneier reiterates warnings about the Internet-of-things: we are, he says, building an out-of-control global robot, and that's not good.
Today's issue includes events affecting Canada, China, France, Germany, India, Israel, Mexico, Poland, Russia, Spain, United Kingdom, and United States.
A note to our readers: You may have noticed that the Christian Science Monitor's Passcode project has announced it will cease publication at the end of this month. You've been a good service, Passcode, and you'll be missed. Hail and farewell, and thanks to all who contributed a sound and lively voice to our community. We hope we'll continue seeing your bylines in your parent newspaper's cyber coverage.
Special editions of the podcast are also up. See Perspectives, Pitches, and Predictions from RSA, and an overview of artificial intelligence as it's applied to security. And see also Cylance's video interview with our Producer.