Our vulnerability of the week is CVE-2017-7526, which resides in the Libgcrypt cryptographic library used by GnuPG. Exploiting the vulnerability, security researchers were able to successfully extract the secret RSA-1024 key to decrypt data. Libgcrypt has released a fix for the issue in Libgcrypt version 1.7.8. Debian and Ubuntu have already updated their library with the latest version of Libgcrypt.
On to this week’s open source security and cybersecurity news…
via InfoSecurity Group: Mike Pittenger, Black Duck VP of Security Strategy, looks at the potential risks of unknown and unsecure open source components leading to vulnerabilities in pacemakers and other medical devices and systems.
Webinar July 25: Dan Hedley, Partner, IT and Commercial from Irwin Mitchell, will provide guidance on the General Data Protection Regulation (GDPR) and why a comprehensive approach to open source security management is essential for GDPR observance. In addition, we’ll review open source management best practices in the context of other industry-specific developments like the Network and Information Services Directive and the Electronic Identification Regulation.
via Inc.: The Global Cybersecurity Index, a UN report released this week, shows that despite global awareness of the proliferation of cybercrime and cyber-spying, many nations — including some of the world's most developed — suffer from severe deficiencies when it comes to cybersecurity. Furthermore, the study shows, there is a huge range of preparedness when it comes to the cybersecurity capabilities of the world's most powerful nations.
via International Telecommunications Union (ITU): The information and communication technologies (ICT) networks, devices and services are increasingly critical for day-to-day life. In 2016, almost half the world used the Internet (3.5 billion users) and according to one estimate, there will be over 12 billion machine-to-machine devices connected to the Internet by 2020. Yet, just as in the real world, the cyber world is exposed to a variety of security threats that can cause immense damage.
via Security Insider (German): To easily verify container content, you might want to use container scanners, such as those offered by OpenSCAP or Black Duck. Such scans should be used as standard in production environments, and they are perfectly suited to approaches such as DevOps.
via eWeek: Oracle is expanding its container efforts with the official public debut of three new open-source utilities designed to help improve application container security and performance. The tools include the Smith secure container builder, Crashcart container debugging tool and the Railcar container runtime.
ITPro Windows: The seven-page Spiceworks study, "GDPR: The Impact on IT," revealed that only 40 percent of businesses in the United Kingdom (U.K.) and 28 percent of companies in the rest of the EU have begun to prepare for the GDPR rules, which were designed to streamline and codify uniform data privacy laws across Europe to protect all of the citizens of the EU.
via TechCruch: Baidu now claims one of the largest partner ecosystems for an autonomous driving platform in the world: Its Apollo autonomous driving program now counts over 50 partners, including FAW Group, one of the major Chinese carmakers that will work with Baidu on commercialization of the tech. Other partners include Chinese auto companies Chery, Changan and Great Wall Motors, as well as Bosch, Continental, Nvidia, Microsoft Cloud, Velodyne, TomTom, UCAR and Grab Taxi.
via Black Duck blog (Alex Berg): Black Hat USA 2017 is fast approaching, so we asked our security researchers, Chris Jess and Neil Rankin, which sessions they're excited to attend and why. Black Hat's focus on information security provides great resources to the research and development communities, but the sheer volume of trainings and briefings may be overwhelming. If you're struggling to figure out which talks to attend at Black Hat USA, check out Chris and Neil's selections.