We take a deep dive into security researchers Charlie Miller and Chris Valasek’s keynote at last week’s FLIGHT 2017 conference. What is “Hidden Cobra” and is it targeting US aerospace, telecommunications and finance industries? Both banks and the Pentagon are making big moves into open source. And why it’s smart to assume that every application is an on-premise application.
The best of November’s application security and open security news (so far) follows in this week’s edition of Open Source Insight.
via MSSP Alert: Internet of Things (IoT) security bulls might not like this one: You can’t count on beating the hackers — there’s too many unsecured devices to bolt down — but you may be able to contain them. How so? By concentrating on the big stuff, according to security experts Charlie Miller and Chris Valasek, in remarks delivered at the Black Duck Software’s Flight 2017 conference in Boston.
via Black Duck blog (Fred Bals): The good news? Bad guy hackers are lazy, and will move on to easier pickings when confronted with good security. The bad news? Good security is often expensive, and not necessarily a cost businesses are enthusiastic about adding to product prices and passing on to customers. Those were key takeaways from security researchers Charlie Miller and Chris Valasek’s keynote at last week’s FLIGHT 2017 conference.
via TechCrunch: US-CERT, the Department of Homeland Security team responsible for analyzing cybersecurity threats, has posted a warning about cyber-attacks by the North Korean government, which it collectively refers to as “Hidden Cobra.” The technical alert from the FBI and Department of Homeland Security says a remote administration tool (RAT) called FALLCHILL has been deployed by Hidden Cobra since 2016 to target the aerospace, telecommunications and finance industries.
via IoT Journal: More than 90 percent of the software written these days integrates open-source code. Such code is used in IoT firmware, operating systems, network platforms and applications. This trend will only continue to grow because, by leveraging open-source, developers can lower assembly costs and quickly add innovations, thereby saving months or years of originally required development time. Whether software code is proprietary or open-source, it harbors security vulnerabilities.
via the Verge: Besides cost, there are other compelling explanations for why the military might want to go open source. One is that technology outside the Pentagon simply advances faster than technology within it, and by availing itself to open-source tools, the Pentagon can adopt those advances almost as soon as the new code hits the web, without going through the extra steps of a procurement process.
via American Banker: The weakest points of most software programs are the flaws or bugs that can be exploited by hackers and cybercriminals. Recent case in point: the —$300 million worth of Ether locked in Parity digital wallets because a coder was able to poke around in Parity’s digital wallet and kill a smart contract, thus freezing all wallets that smart contract governed. The Equifax breach is another example: a weakness in an open source software package called Apache Struts allowed hackers to steal millions of sets of consumer data. (A patch was available for the Apache software, but Equifax didn’t apply it.)
via Synopsys blog (Brendan Sheairs): A traditional software security group (SSG) isn’t equipped to apply security activities to Agile development environments effectively. Applying security to agile processes requires the injection of security-related people, processes, and testing activities at a sprint tempo… So how can we inject security into Agile development?
via Business Insider: The GENIVI Alliance, a collaborative community of automakers and their suppliers developing open software for in-vehicle infotainment (IVI) and the connected car, today announced that Virgin Hyperloop One, the only company in the world that has built and successfully tested a full-scale hyperloop system, has joined the Alliance to work with the strong GENIVI ecosystem and leverage its proven history of open source software collaboration.
via Black Duck blog (David Znidarsic): if prevention or knowledge of an application’s required client-side installations is important to you, you need to do a technical analysis of what is and what is not installed; don’t rely on marketing materials and naïve categorizations. In the absence of such an analysis, assume every application you use requires some type of client-side installation.
via Computer Weekly: The 11th edition of Black Duck Software’s annual report into enterprise open source usage revealing that 66% of the 819 respondents regularly contribute to open source projects. Also, just under half (48%) said the number of individual contributors within their organisation was set to rise.