Here we are at the 18th of November, and the NVD vulnerability report is just shy of 200, with 199 entries logged. In this week’s cybersecurity and open source news we find the Mirai botnet scarily evolving. Black Duck’s Vice President of Security Strategy, Mike Pittenger, considers whether IoT device makers should be held liable in future attacks. Mike also makes some bold predictions about open source and OSS security in 2017, including the possibility of auto recalls forced by security breaches. A major security hole in Linux has been hiding in plain sight. OpenSSL on Thursday patched three vulnerabilities in its latest update. And the Black Duck Hub is a finalist for best vulnerability management solution in the 2017 SC Magazine Awards.
Open Source Insight will be on hiatus next week for the US Thanksgiving holiday. We’ll see you all at the beginning of December. Have a safe and secure week!
The Web-Shaking Mirai Botnet Is Splintering—But Also Evolving
WIRED reports that researchers following Mirai say that while the number of daily assaults dipped briefly, they’re now observing development in the Mirai malware itself that seems designed to allow it to infect more of the vulnerable routers, DVRs and other Internet of Things (IoT) gadgets it has hijacked to power its streams of malicious traffic.
Internet Of Things 'Pollutants' & The Case For A Cyber EPA
In DarkReading, Mike Pittenger notes that recent IoT-executed DDoS attacks have been annoying, not life threatening… yet. Should device makers be held liable if/when something worse happens?
7 Open Source Security Predictions for 2017
Open source unicorns. Cyberattacks on the rise. Growing customer demand for better app security. The first auto manufacturer recall based on an open source vulnerability. Take a look into the Black Duck crystal ball for our 2017 predictions.
Major Linux security hole gapes open
As described in the security report, CVE-2016-4484, the hole allows attackers "to obtain a root initramfs [initial RAM file system] shell on affected systems. The vulnerability is very reliable because it doesn't depend on specific systems or configurations. Attackers can copy, modify, or destroy the hard disc as well as set up the network to exflitrate data.
Now for the really embarrassing part. Want to know how to activate it? Boot the system and then hold down the enter key. Read more at ZDnet.
OpenSSL Patches High-Severity Denial-of-Service Bug
OpenSSL on Thursday patched three vulnerabilities in its latest update, and reminded users running version 1.0.1 of the cryptographic library that security support will end December 31. Of the three bugs, only one was rated high severity and could lead to OpenSSL crashes. Only OpenSSL 1.1.0 is affected, earlier versions are not. Users should upgrade to OpenSSL 1.1.0c.
SC Awards Round 1 Finalists
These products perform network/device vulnerability assessment and/or penetration testing. They may use active or passive testing, and are either hardware- or software-based solutions that report vulnerabilities using some standard format/reference.
Know Your Code
Do you know how much open source is in your code? Find out with the free Black Duck Open Source Security Checker tool.