Heartbleed Results in £100,000 fine and WannaCry Hits Japan

Heartbleed Results in £100,000 fine and WannaCry Hits Japan

The patch for CVE-2014-0160, better known as Heartbleed, has been available since 2014, however some applications continue to include vulnerable versions of OpenSSL (versions 1.0.1-1.0.1f), making Heartbleed still one of the most dangerous vulnerabilities in the wild, as one local authority in the UK learned.

In other cybersecurity and open source news: Honda shuts down a car plant due to WannaCry. The potential risks of open source are broader than just license compliance. Girl Scouts to offer cybersecurity badges. And even restaurants aren’t safe from malware.

Honda Halts Japan Car Plant After WannaCry Virus Hits Computer Network

via Reuters: Honda discovered on Sunday that the virus had affected networks across Japan, North America, Europe, China and other regions, a spokeswoman said, despite efforts to secure its systems in mid-May when the virus caused widespread disruption at plants, hospitals and shops worldwide.

GDPR, OpenSSL, Heartbleed and a Cascade of Security Breaches

via Black Duck blog (Fred Bals): Even though Heartbleed was discovered over three years ago, and IT staff at the council flagged the need to update the software, a patch issued for the software was never applied. Gloucester City Council “did not have sufficient processes in place to ensure its systems had been updated while changes to suppliers were made,” said the entity imposing the £100,000 fine, UK's Information Commissioner's Office (ICO).

Find out what's hidden in your code - try Security Checker today.

Hackers, Beware! Girl Scouts To Offer Cybersecurity Badges

via USA TODAY: Girl Scouts of the USA and Palo Alto Networks have announced a collaboration to introduce a series of 18 cybersecurity badges for girls K-12. The badges, which will help Scouts explore opportunities in STEM (science, technology, engineering and math) while building leadership skills, will be available to earn beginning in September 2018.

Why The Last Thing Open Source Needs Is More Corporate Oversight

via TechRepublic: According to a new Black Duck survey, developers can't get enough of open source, ramping up open source adoption by 60% last year. Why the uptick? A whopping 84% cited superior cost savings, ease-of-access, and no vendor lock-in.

3 Examples of Why Permissive Licenses Deserve a Little Respect 

via Black Duck blog (Phil Odence): To the extent that tech companies manage open source risks, their primary focus tends to be on reciprocal licenses and the GPL in particular. As I've discussed earlier, the potential risks of open source are broader than just license compliance. Additionally, there are other licenses to consider beyond the GPL. Even permissive licenses deserve a little respect.

Black Duck Selected as a 2017 US-Ireland Top 50 Company

viaTechBuzzIreland: Black Duck Software has been named a US-Ireland Top 50 Company by The Irish Echo, the USA’s largest and most widely read Irish American weekly. Black Duck was presented with the award honoring 50 major companies with operations in the US and Ireland during the New York/New Belfast Investment Conference at Pier A, Harbor House in New York City.

Fileless Malware Targeting US Restaurants Went Undetected by Most AV

via Ars Technica: Researchers have detected a brazen attack on restaurants across the United States that uses a relatively new technique to keep its malware undetected by virtually all antivirus products on the market.

A Cyberattack ‘the World Isn’t Ready For’

via NY Times: “I don’t pursue every attacker, just the ones that piss me off. This pissed me off and, more importantly, it pissed my wife off, which is the real litmus test.”
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Devil’s Ivy, Bad Taste, & New SambaCry Vulnerability

| Jul 21, 2017

We have two CVEs of the week this week, CVE-2017-9765, better-known as “Devil’s Ivy,” and CVE-2017-11421, dubbed “Bad Taste” by its discoverer. Devil’s Ivy results in remote code execution, and was found in an open source third-party code library from gSOAP. When exploited, it allows an attacker

| MORE >

Black Duck Teams with Google, Connected Cars, FinTech Compliance

| Jul 14, 2017

Black Duck and Google partner so that open source vulnerability management can be integrated directly with build and deployment activities in the cloud. Connected car news includes BMW adding on to its connected car services; concerns on how code vulnerabilities might lead to driving dangers; and

| MORE >

Top Picks for Black Hat, GDPR & Open Source Webinar, UN Cybersecurity Report

| Jul 7, 2017

Our vulnerability of the week is CVE-2017-7526, which resides in the Libgcrypt cryptographic library used by GnuPG. Exploiting the vulnerability, security researchers were able to successfully extract the secret RSA-1024 key to decrypt data. Libgcrypt has released a fix for the issue in Libgcrypt

| MORE >