News is slight as the US prepares to bore into the Labor Day weekend and the unofficial end of Summer 2017. Yet our crack staff of editors has scoured the Webbernets to produce the best in cybersecurity and open source security news for your reading pleasure. Enjoy, and if you celebrate Labor Day, have a great holiday weekend!
via The ServerSide: Summary: Is there a hidden threat buried in your software stack? Is there a hidden threat embedded within your Docker container? It's certainly not a prospect that lives outside of the realm of possibility, especially if you're not 100% sure as to exactly how the various open source components that make up your software stack or your container image were derived. "One of the aspects of open source is that it can be forked," said Tim Mackey, the Technical Evangelist for Black Duck Software.
via LawFare: The technology behind elections is hard to get right. Elections require security. They also require transparency: anyone should be able to observe enough of the election process, from distribution of ballots, to the counting and canvassing of votes, to verify that the reported winners really won. But if people vote on computers or votes are tallied by computers, key steps of the election are not transparent and additional measures are needed to confirm the results.
via The Register: from Google’s TensorFlow to Microsoft’s Cognitive Toolkit, the world is awash in open source ML/AI code... none of which seems to be solving the gaping void between AI hype and production deployment reality. By Gartner’s estimates a mere 15 per cent of organisations actually get into production with ML/AI.
via Threatpost: The United States Federal Drug Administration is recalling 465,000 pacemakers that attackers can gain unauthorized access to issue commands, change settings and maliciously disrupt. Affected are four models manufactured by Abbott Laboratories.
via Forbes: Is the cybersecurity industry keeping up with cybercrime? Absolutely not. Cyberwarfare is at an all-time high, and cybersecurity is just unable—unequipped—to keep up. We’re seeing a convergence of three major vectors—devices, data, and a shortage of talent—coming to a head. That’s causing an explosion of what I’ll refer to as “cybercrime opportunity.”
Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott's (formerly St. Jude Medical's) Implantable Cardiac Pacemakers: FDA Safety Communication
via FDA: On August 23, 2017, the FDA approved a firmware update that is now available and is intended as a recall, specifically a corrective action, to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities for certain Abbott (formerly St. Jude Medical) pacemakers. "Firmware" is a specific type of software embedded in the hardware of a medical device (e.g. a component in the pacemaker).
via Black Duck blog (Mike Pittenger): Twenty years ago, a software parts list would have seemed ludicrous. All software was built from scratch, and every code base was unique. Today, however, a software bill of materials is critical to organizations, for many of the same reasons they are required in radar detectors.