Mirai Botnet Evolves & More 2017 Open Source Security Predictions

Mirai Botnet Evolves & More 2017 Open Source Security Predictions

Here we are at the 18th of November, and the NVD vulnerability report is just shy of 200, with 199 entries logged. In this week’s cybersecurity and open source news we find the Mirai botnet scarily evolving. Black Duck’s Vice President of Security Strategy, Mike Pittenger, considers whether IoT device makers should be held liable in future attacks. Mike also makes some bold predictions about open source and OSS security in 2017, including the possibility of auto recalls forced by security breaches. A major security hole in Linux has been hiding in plain sight. OpenSSL on Thursday patched three vulnerabilities in its latest update. And the Black Duck Hub is a finalist for best vulnerability management solution in the 2017 SC Magazine Awards.

Open Source Insight will be on hiatus next week for the US Thanksgiving holiday. We’ll see you all at the beginning of December. Have a safe and secure week!

The Web-Shaking Mirai Botnet Is Splintering—But Also Evolving

WIRED reports that researchers following Mirai say that while the number of daily assaults dipped briefly, they’re now observing development in the Mirai malware itself that seems designed to allow it to infect more of the vulnerable routers, DVRs and other Internet of Things (IoT) gadgets it has hijacked to power its streams of malicious traffic.

Internet Of Things 'Pollutants' & The Case For A Cyber EPA

In DarkReading, Mike Pittenger notes that recent IoT-executed DDoS attacks have been annoying, not life threatening… yet. Should device makers be held liable if/when something worse happens?

7 Open Source Security Predictions for 2017

Open source unicorns. Cyberattacks on the rise. Growing customer demand for better app security. The first auto manufacturer recall based on an open source vulnerability. Take a look into the Black Duck crystal ball for our 2017 predictions.

Major Linux security hole gapes open

As described in the security report, CVE-2016-4484, the hole allows attackers "to obtain a root initramfs [initial RAM file system] shell on affected systems. The vulnerability is very reliable because it doesn't depend on specific systems or configurations. Attackers can copy, modify, or destroy the hard disc as well as set up the network to exflitrate data.

Now for the really embarrassing part. Want to know how to activate it? Boot the system and then hold down the enter key.  Read more at ZDnet.

OpenSSL Patches High-Severity Denial-of-Service Bug

OpenSSL on Thursday patched three vulnerabilities in its latest update, and reminded users running version 1.0.1 of the cryptographic library that security support will end December 31. Of the three bugs, only one was rated high severity and could lead to OpenSSL crashes. Only OpenSSL 1.1.0 is affected, earlier versions are not. Users should upgrade to OpenSSL 1.1.0c.

SC Awards Round 1 Finalists

Black Duck Hub Finalist for Best Vulnerability Management Solution

These products perform network/device vulnerability assessment and/or penetration testing. They may use active or passive testing, and are either hardware- or software-based solutions that report vulnerabilities using some standard format/reference.

Know Your Code

Do you know how much open source is in your code? Find out with the free Black Duck Open Source Security Checker tool.

Find out what's hidden in your code - try Security Checker today.

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Hub Detect & DevOps, OSS for Cars & 1.8 M Voter Info Leaked

| Aug 18, 2017

Black Duck releases Hub Detect, a new feature which allows Black Duck Hub to run seamlessly within any DevOps toolchain regardless of the tools used, and shares its growth plans in an exclusive interview with Xconomy. Black Duck vice president and general manager Phil Odence shares his thoughts on

| MORE >

Open Source & Secure Voting, GDPR & Compliancy, & #NUGATE

| Aug 11, 2017

  Our vulnerability of the week is over five years old. But CVE-2011-4109, a high-severity vulnerability in OpenSSL, was back in the news again, as a hacker used the vulnerability to crack a voting machine at DEF CON 25.  Is open source the magic bullet to secure voting?  You’ll find contrasting

| MORE >

Can Open Source Software Secure Voting?

| Aug 10, 2017

“If you’re wondering about my opinion, I think we should stick to paper ballots.” ~ DEFCON 25 “Voting Village” hacker Voting machine software security needs to be improved dramatically, and as soon as possible. U.S. voting machines are frighteningly easy targets for hackers. At this year’s DEF CON

| MORE >