Mirai Botnet Evolves & More 2017 Open Source Security Predictions

Mirai Botnet Evolves & More 2017 Open Source Security Predictions

Here we are at the 18th of November, and the NVD vulnerability report is just shy of 200, with 199 entries logged. In this week’s cybersecurity and open source news we find the Mirai botnet scarily evolving. Black Duck’s Vice President of Security Strategy, Mike Pittenger, considers whether IoT device makers should be held liable in future attacks. Mike also makes some bold predictions about open source and OSS security in 2017, including the possibility of auto recalls forced by security breaches. A major security hole in Linux has been hiding in plain sight. OpenSSL on Thursday patched three vulnerabilities in its latest update. And the Black Duck Hub is a finalist for best vulnerability management solution in the 2017 SC Magazine Awards.

Open Source Insight will be on hiatus next week for the US Thanksgiving holiday. We’ll see you all at the beginning of December. Have a safe and secure week!

The Web-Shaking Mirai Botnet Is Splintering—But Also Evolving

WIRED reports that researchers following Mirai say that while the number of daily assaults dipped briefly, they’re now observing development in the Mirai malware itself that seems designed to allow it to infect more of the vulnerable routers, DVRs and other Internet of Things (IoT) gadgets it has hijacked to power its streams of malicious traffic.

Internet Of Things 'Pollutants' & The Case For A Cyber EPA

In DarkReading, Mike Pittenger notes that recent IoT-executed DDoS attacks have been annoying, not life threatening… yet. Should device makers be held liable if/when something worse happens?

7 Open Source Security Predictions for 2017

Open source unicorns. Cyberattacks on the rise. Growing customer demand for better app security. The first auto manufacturer recall based on an open source vulnerability. Take a look into the Black Duck crystal ball for our 2017 predictions.

Major Linux security hole gapes open

As described in the security report, CVE-2016-4484, the hole allows attackers "to obtain a root initramfs [initial RAM file system] shell on affected systems. The vulnerability is very reliable because it doesn't depend on specific systems or configurations. Attackers can copy, modify, or destroy the hard disc as well as set up the network to exflitrate data.

Now for the really embarrassing part. Want to know how to activate it? Boot the system and then hold down the enter key.  Read more at ZDnet.

OpenSSL Patches High-Severity Denial-of-Service Bug

OpenSSL on Thursday patched three vulnerabilities in its latest update, and reminded users running version 1.0.1 of the cryptographic library that security support will end December 31. Of the three bugs, only one was rated high severity and could lead to OpenSSL crashes. Only OpenSSL 1.1.0 is affected, earlier versions are not. Users should upgrade to OpenSSL 1.1.0c.

SC Awards Round 1 Finalists

Black Duck Hub Finalist for Best Vulnerability Management Solution

These products perform network/device vulnerability assessment and/or penetration testing. They may use active or passive testing, and are either hardware- or software-based solutions that report vulnerabilities using some standard format/reference.

Know Your Code

Do you know how much open source is in your code? Find out with the free Black Duck Open Source Security Checker tool.

Find out what's hidden in your code - try Security Checker today.

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Paraskevidekatriaphobia, Web APIs, Jeep Hacking, More Equifax Woes

| Oct 13, 2017

On this Friday the 13th, the paraskevidekatriaphobia edition of Open Source Insight delves into scary software exploits like jeep hacking and data breaches. October is Cybersecurity Awareness Month, but how aware and cybersecure are the businesses holding our personal data? Black Duck joins forces

| MORE >

GDPR Best Practices, Struts RCE Vulns, SAST, DAST & Equifax

| Oct 6, 2017

COSRI research director Chris Fearon makes the case that Equifax was either unaware of or slow to respond to reports of known critical vulnerabilities in their system, and as a result had not upgraded to safer versions. That opinion was later proven out by Congressional hearings into the breach,

| MORE >

Did SAST and DAST Fail Equifax?

| Oct 4, 2017

On March 8, 2017, the U.S. Department of Homeland Security, Computer Emergency Readiness Team (“U.S. CERT”) sent Equifax and many others a notice of the need to patch a particular vulnerability in certain versions of software…. Equifax used that software, which is called “Apache Struts,” in its

| MORE >