The CyberWire Daily Podcast 3.14.17
Ep 305 | 3.14.17

Canadian government sites recover from the Apache Struts vulnerability. FireEye's M-Trends report is out, calling out greater sophistication in financial cybercrime. USAF accidentally exposes SF86s. Vault 7 update.


Dave Bittner: [00:00:03:15] Apache Struts bug bites in Canada. FireEye sees financial cybercrime approaching state espionage exploits in sophistication. The US Air Force leaves sensitive personal information exposed in a backup database. Investigation into WikiLeaks' Vault 7 continues. Okta files for its IPO. And today is Patch Tuesday.

Dave Bittner: [00:00:30:24] Time for a message from one of our sponsors, Dragos Incorporated. If you operate industrial control systems, you owe it to yourself and your stakeholders to get to know Dragos. They've got a new white paper, “Insights for Building an ICS Security Operation Center,” and it's fair to say you won't find their perspective elsewhere. You can find it on their website, While you're there, check out the three-pronged defense they offer infrastructure operators; Cyber Security Technology, Expert Services for Recovery or Threat Hunting and Timely Threat Intelligence, focused on the bad actors who threaten industrial control systems. Whether you operate in the electrical power, water or oil and gas utility sectors, Dragos has something valuable for you and your security. Again, that's Dragos, for your industrial control system cyber security peace of mind. And we thank Dragos for sponsoring our show.

Dave Bittner: [00:01:37:05] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, March 14th, 2017.

Dave Bittner: [00:01:47:00] The Apache Struts vulnerability we've been hearing about - it's now patched, by the way - bit two Canadian government agencies last week, Statistics Canada and the Canada Revenue Agency. Unknown attackers hit Statistics Canada at midweek, exploiting the bug in the open source framework used for building web applications. That took out Statistics Canada on the 8th and 9th. Over the weekend, the Canada Revenue Agency took its own portal offline to remediate the Apache Struts vulnerability. Neither Statistics Canada nor the Canada Revenue Agency believe any sensitive information was compromised.

Dave Bittner: [00:02:24:12] Various vendors are expected to address the Apache Struts issue for their own products this week. Cisco and VMWare have already indicated that they're in the process of doing so.

Dave Bittner: [00:02:36:15] FireEye has released its 2017 M-Trends report on attacks and vulnerabilities. The report offers the breakdown FireEye's Mandiant unit is accustomed to providing, discussing trends by both geographic region and economic sector. The executive summary notes, unsurprisingly, that cyber attacks show increasing sophistication, and that such advances in complexity and effectiveness have been led by nation-state security and espionage services. In the financial sector, however, criminal attackers have in many respects caught up to the point at which the criminals are difficult to distinguish from the intelligence operations. As the report puts it, "some financial threat actors have caught up to the point where we no longer see the line separating the two."

Dave Bittner: [00:03:23:15] The CyberEdge Group has issued a report on ransomware. It's a look back at 2016, and it found that a third of the organizations hit by ransomware paid up to recover their data. A bit more than half - 54% - refused to pay and recovered their data on their own. Some 13% declined to pay and lost their data. Most industry observers advise a mix of education and regular, secure backup as the best defense against ransomware. Not all backups are necessarily equal, however. As Plixer CEO Michael Patterson observed to us, "sometimes ransomware can lock up cloud-based backups that are persistently synchronizing data.”

Dave Bittner: [00:04:04:13] Turning to Vault 7, the WikiLeaks dump of apparent CIA documents we've been following since last week, there's an emerging consensus that the leaks probably came from a CIA insider. It will be some time before investigations are complete, and sometime after that before the results are made public, but there's a newly disclosed compromise of US Air Force information that might give one pause before buying too uncritically into this quite plausible explanation. And the Air Force case also has something to teach about ransomware defenses, since it illustrates how backups can bite back.

Dave Bittner: [00:04:39:03] In this latest incident, the Air Force is reported to have inadvertently exposed a very large set of sensitive documents - largely SF86 security questionnaires - that contain personal information about at least 4,000 officers. Sure, you'll say, this is chickenfeed compared to the twenty-two million and change similarly affected by 2014's breach of the Office of Personnel Management, and relatively speaking, numerical chicken feed it may be. But the Air Force data exposure seems unusually exasperating because it's self-inflicted: the data was exposed in a misconfigured backup database that wasn't even protected by a password. By all means backup your data, but, heavens to Murgatroyd, don't hang them out there for all the world to poke through.

Dave Bittner: [00:05:24:07] It's fair to say that cyber insurance is an area undergoing rapid evolution, as both buyers and sellers work to understand what needs to be covered and how to price it. Deloitte and Touche recently released a report titled, "Demystifying Cyber Insurance Coverage". Adam Thomas is a principal at Deloitte and Touche and one of the report's co-authors.

Adam Thomas: [00:05:44:17] If you're talking to a board member who has asked their team to go look at getting cyber insurance, who maybe doesn't fully understand all the nuance of the cyber issue, and the team goes out and gets cyber insurance, they feel, in maybe a false way, that they're secure or they've got some protection in place. But I think what we're really seeing is that there's a little bit of adjustment that's happening in the market. What the insurance companies have brought to the market over the last seven to eight years, companies are realizing that on the buy side it's maybe not what they need and I'll say that, because of that, the gap is widening. But at the same time, as we spent time with the insurance community and the insurers in particularly as we wrote this paper, they understand the market's changed. They're looking for ways they can get comfortable taking some of these newer types of coverage to the market or potentially expanding existing policies that they have in the market. For example, it's not uncommon for a customer to purchase a business interruption policy, or for a customer to purchase a product liability policy. They do that today. What they're trying to resolve is in the event I have a product liability claim that stems from a cyber incident, is that something that gets covered under my traditional product liability policy or is it a new policy and a form of endorsement required? I think what we're going to see is the market's going to adjust in terms of organizations that purchase cyber insurance traditionally versus where they buy going forward as the level of sophistication amongst the buyer and the insurance provider increases. Where I think there's an opportunity in the market, and I think the broker community in particular is recognizing this, is the broker community can play a much more proactive role at helping insurers and their customers really fit the right set of policies into the mix, considering the total cost of which management associated with the cyber problem that are getting insured.

Dave Bittner: [00:07:42:10] That's Adam Thomas from Deloitte and Touche. You can check out the entire report, Demystifying Cyber Insurance Coverage, on Deloitte's website.

Dave Bittner: [00:07:52:07] Taking a quick look at our events calendar for a couple of events worthy of your consideration, on March 22nd, join Threat Connect for a webinar on finding what size threat intelligence fits your enterprise. And, at the end of this month, join industry leaders in Washington, DC, for the Second Annual Billington International Cybersecurity Summit. That will be on Friday, March 30th. You can find links to all of these on our event tracker on our website.

Dave Bittner: [00:08:18:05] Google has addressed the Android vulnerabilities exposed in WikiLeaks' Vault 7 dump, but as always it's likely that a very large number of devices will remain unpatched indefinitely. As observers continue to pick through Vault 7, the emerging consensus is that the operations apparently revealed involved highly targeted foreign intelligence collection, as opposed to bulk domestic surveillance, that there's so far been no significant release of hacking tools, and that the US ought to rethink vulnerability stockpiling and disclosure policies.

Dave Bittner: [00:08:51:23] In industry news, one of the more anticipated IPOs of the past year and a half has been filed. Okta, a security sector unicorn, is going public. And today, of course, is Patch Tuesday for March 2017. Microsoft deferred last month's patch, and the industry is awaiting the word from Redmond sometime later this afternoon.

Dave Bittner: [00:09:16:18] Time to thank our sponsor, Palo Alto Networks. You can visit them at Software as a service applications are changing the way organizations do business as data now lives beyond the traditional network perimeter. What are you doing to keep your organization's data secure in this new environment? Palo Alto Networks helps organizations with complete SaaS protection, providing detailed software as a service visibility and granular control, data governance, automated risk remediation and malware prevention. Palo Alto Networks offers the most comprehensive cyber security for all cloud and software as a service environments because secure clouds are happy clouds. Get started securing yours at And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:10:17:07] Joining me once again is Ben Yelin. He's a Senior Law and Policy Analyst for the University of Maryland's Center for Health and Homeland Security. Ben, we've been talking lately about people being stopped at the border, both citizens and people who are not citizens, and having their mobile devices searched. Senator Wyden, from Oregon, has introduced some legislation to address this. What do we need to know about that?

Ben Yelin: [00:10:40:20] Senator Wyden sent a letter to the new Head of the Department of Homeland Security, John Kelly, talking about his intention to introduce legislation to combat this problem. This legislation require that customs and border patrol agents have probable cause or obtain a warrant based on probable cause to search digital devices. What we've seen are there have been incidences at our border crossings where citizens and non-citizens are being asked not only to show their physical device, but to decrypt their phone and enter their pass-code and this is potentially a major constitutional violation. Of course, normally we know under the Fourth Amendment you have to have a warrant based on probable cause to search somebody's personal devices. There is this warrant exception when it comes to border searches because this is sort of a special government need - we want to make sure that people coming into the country aren't doing anything dangerous. But what Senator Wyden and others have argued, and this also includes advocacy groups like the Electronic Frontier Foundation, is that the special needs exception for border searches is far narrower in scope than what it's being used for. It's being used to gain a wealth of data information from devices by having people decrypt them when it was intended to just make sure that people weren't bringing dangerous materials into the country. Obviously, the prospects for legislation are very poor. Senator Wyden is in the minority in this senate and he can frequently be a bit of a lonely soul on electronic privacy issues - maybe he and a couple of other senators. So this is more about trying to raise awareness for the issue, I think, than any likeliness of having legislation passed.

Interviewer: [00:12:27:09] I saw earlier this week someone made the analogy that, as it stands right now, the border patrol people consider your phone to basically be the same as your suitcase - that they're entitled to go in and search around on it. But it struck me that, if I have a filing cabinet at my house full of my personal papers, a warrant is required to come in and go through that filing cabinet. Well in the modern world, what if I have that filing cabinet on Dropbox, and I have a copy of Dropbox on my phone, my personal filing cabinet has been extended to my phone and the border patrol shouldn't be able to go through my filing cabinet.

Ben Yelin: [00:13:01:10] Absolutely. It's the exact same information that they'd be seeking in some sort of physical search. Obviously, the metaphor isn't perfect. There isn't a perfect analogue for the type of search at issue here, but you could run into situations where, let's say, the FBI or some other intelligence agency thought that they could get incriminating information from someone. If they didn't have probable cause to achieve it by legal means, waited for the person to leave the country, and said, alright, this border exception applies, we can look at your device, we can force you to decrypt it, we can force you to enter your pass-code and we can obtain all of that information. I think it's potentially a major constitutional problem.

Dave Bittner: [00:13:45:18] Ben Yelin, as always, thank you for joining us.

Dave Bittner: [00:13:50:02] And that's the CyberWire. Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance prevents cyber attacks with artificial intelligence, visit The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik. Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell. Executive Editor is Peter Kilpe and I'm Dave Bittner. Thank you for listening.