This week’s news is dominated by fall-out and reaction from last week’s WannaCrypt/WannaCry attacks, of course, but other open source and cybersecurity stories you won’t want to miss include:
- An important open source ruling that confirms the enforceability of dual licensing.
- What New York’s new cybersecurity regulations mean for Financial Services
- The PATCH Act and the creation of a vulnerabilities equities process
Info from the NVD: WannaCry is a threat composed of two main parts, a worm module and a ransomware module. The ransomware module is spread by a companion worm module. The worm module uses the Microsoft Windows SMB Server Remote Code Execution Vulnerability (CVE-2017-0144) and the Microsoft Windows SMB Server Remote Code Execution Vulnerability (CVE-2017-0145) to spread.
via Law360 (subscription required): The U.S. District Court for the Northern District of California recently issued an opinion that is being hailed as a victory for open-source software. In this case, the court denied a motion to dismiss a lawsuit alleging violation of an open-source software license, paving the way for further action enforcing the conditions of the GNU General Public License (“GPL”).
Ruling Confirms Enforceability of Dual-Licensing and Breach of GPL for Failing to Distribute Source Code
via Law of the Level: This case highlights the need to understand and comply with the terms of open source licenses. Many companies use open source without having adequate open source usage policies or understanding of the legal risks of using open source. As this case highlights, one of the key risks with using open source is that in certain circumstances a company may be required to release the source code for its proprietary software based on usage of open source code in the software.
via DarkReading: One of the harshest cybersecurity regulations to hit companies in the US recently went into effect in New York. The state regulator, the New York Department of Financial Services, introduced its Cybersecurity Requirements for Financial Services Companies (23 NYCRR Part 500), a regulation designed to tighten cybersecurity practices across a wide selection of companies, which became effective on March 1, 2017. The rules are highly prescriptive, going into substantial detail about the cybersecurity requirements for covered entities and imposing significant reporting requirements on those companies, including:
- Secure development: Under section 8, regulated companies will have to prove that they use secure software development processes for in-house applications and that they test the cybersecurity of external software.
The Need for Urgent Collective Action to Keep People Safe Online: Lessons from Last Week’s Cyberattack
via Microsoft: [The WannaCrypt] attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect.
As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past. This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support.
via the Black Duck blog: Whether open source or proprietary code, most known vulnerabilities have patches available on the date of their disclosure. Despite the availability of patches — like the one issued by Microsoft that could prevent a WannaCry attack — an alarming number of companies and individuals simply do not apply them. Two months after Microsoft issued its security patch, thousands of computers remain vulnerable to the WannaCry exploit for a variety of reasons, ranging from the use of bootleg software to simple indolence.
via Health IT Outcomes: More is the word of the day: more software with more flaws that can be exploited by more attackers. In March and April, multiple events left cybersecurity teams scrambling to address real and potential attacks:
- March 6, 2017 — The Apache Foundation announces a previously undiscovered flaw in one of the most commonly used web application frameworks, Struts 2. The vulnerability dates to 2012. Two weeks later, several variations of the new attack vector are announced.
- April 06, 2017 — the first public reporting of a Struts 2 attack when malicious hackers use the new exploit to deliver ransomware targeting Windows servers.
- April 18, 2017 — Oracle announces the largest quarterly Critical Patch Update in the company’s history: 299 patches cover a variety of vulnerabilities including some known for years.
- April 27, 2017 — Verizon’s 10th Annual Breach Report states healthcare is the second most attacked sector and successful ransomware attacks doubled in 2016.
The common threads across each of these events: flawed third-party software code and the widespread use of vulnerable code.
via SC Magazine UK: If security is often a distant issue to the general public, on Friday it must have felt very close indeed. The ransomware attack that paralysed 40 UK hospitals and countless other organisations across 150 countries will not soon be forgotten. After all, what appears to be a relatively unsophisticated and untargeted campaign managed to shut down industry giants and public utilities, including the UK's National Health Service.
via TechTarget: The bipartisan PATCH Act aims to codify the Vulnerabilities Equities Process into law in the wake of a global ransomware attack based on a stolen NSA cyberweapon.
The PATCH Act would create a Vulerabilities Equities Process Review Board tasked with determining "whether, when, how, to whom, and to what degree" a vulnerability held by a government entity might be disclosed to a non-government entity. Permanent members of the review board would include: the secretary of Homeland Security (also the chairperson); the secretary of Commerce; the director of National Intelligence; and the directors of the FBI, CIA and NSA.
Interview with Mike Pittenger of Black Duck Software – Managing and Securing Your Open Source Software
via VPN Mentor: In my conversation with Mike Pittenger, VP for Security Strategy at Black Duck Software, we discuss the Black Duck KnowledgeBase and their Hub product that leverages all of its information. We also examine some of the most surprising findings that have surfaced in the course of Black Duck code audits as well as some of the trends Mike sees from his unique vantage point on the open source community
via Datensicherheit.de (Germany): Ransomware tactics and techniques and procedures are no longer limited to the DarkNet," warns Chris Fearon, Director of Security Research at Black Duck. They are increasingly accessible through open source software channels. As a result, the barrier to the creation of malicious software will be reduced. In the age of open source ransomware it is imperative, says Fearon, "that vulnerability management processes are robust and the software supply chain prevents opportunistic exploited business functions."
via the Black Duck blog: As part of our research investigation to understand the scale of Web Services related security and compliance risks that originate from open source projects, we analyzed several publicly available projects, including Rocket.Chat, which was selected as a Black Duck Open Source Rookies of the Year – 2016.