Our vulnerability of the week is over five years old. But CVE-2011-4109, a high-severity vulnerability in OpenSSL, was back in the news again, as a hacker used the vulnerability to crack a voting machine at DEF CON 25.
Is open source the magic bullet to secure voting? You’ll find contrasting opinions in this week’s Open Source Insight, as well as news and opinion on the bad habits cybersecurity pros need to break; whether Flash should be open sourced; compliancy with the GDPR; and the so-called #nugate scandal.
Read on for all the open source security and cybersecurity fit to print…
via Black Duck blog (Fred Bals): At this year’s DEF CON 25 convention it took only a few hours for white hat hackers to break into five different voting machines. One researcher cracked an Express Pollbook system within two minutes via CVE-2011-4109, a vulnerability in OpenSSL, an open source project contained in hundreds of thousands of applications to secure communications.
via Linux Insider: Former CIA head R. James Woolsey and Bash creator Brian J. Fox made their case for open source elections software after security researchers demonstrated how easy it was to crack some election machines in the Voting Machine Hacking Village staged at the recent DefCon hacking conference in Las Vegas.
via Tech Republic: #7 - Not patching immediately
Companies often spend thousands of dollars on security solutions, only to have them bypassed by something as simple as not applying a security patch right away.
via Black Duck blog (Haidee LeClair): There have been over 1,000 vulnerabilities in the Adobe Flash Player since 2005 (when Adobe acquired Macromedia), and they tend to have fairly high CVE scores. Considering the dominant use of Flash in online multimedia content, these security issues have been a concern for an eternity in internet time.
via Healthcare IT News: The sector is now making security a top priority, hiring CISOs, undertaking threat management and penetration testing, all more important than ever.
via Info Security: Many organisations don’t pay sufficient attention to the security exposures created by vulnerable open source components, and may not even be aware these exposures exist. In Black Duck’s most recent analysis of more than 1,000 commercial applications, known open source vulnerabilities were found in over 65 percent of those applications. Download this paper to find out more.
via Comms Trader: Creating classification-based, automated, and policy-driven approaches to GDPR is essential to success, and should enable organisations to accelerate their ability to meet with the regulatory demands set out, before the impending deadline.
via CSO: Bad actors using typo-squatting place 39 malicious packages in npm that went undetected for two weeks. How should the open source community respond?
via Black Duck blog (Yev Bronshteyn): Let's be blunt. Richard Stallman's utopian vision of open source is dead. Code is no longer contributed to open source to grant some freedom that has been ordained an inalienable human right by reason and providence.