1.
Open Source Insight:
You Can’t Beat Hackers and
the Pentagon Moves into Open Source
Fred Bals | Senior Content Writer/Editor

2.
Cybersecurity News This Week
We take a deep dive into security researchers Charlie Miller and Chris Valasek’s
keynote at last week’s FLIGHT 2017 conference. What is “Hidden Cobra” and is it
targeting US aerospace, telecommunications and finance industries? Both banks
and the Pentagon are making big moves into open source. And why it’s smart to
assume that every application is an on-premise application.
The best of November’s application security and open security news (so far)
follows in this week’s edition of Open Source Insight.

3.
• IoT Security Pros: You Can’t Beat the Hackers You
Can Only Contain Them
• It Wasn’t an Equifax Toaster That Stole 145M People’s
Personal Data
• U.S. Government Issues Alerts About Malware and Ip
Addresses Linked to North Korean Cyber Attacks
• Known Security Vulnerabilities Are a Hacker's Guide
to an IoT Breach
• The Pentagon Is Set to Make a Big Push Toward Open
Source Software Next Year
Open Source News

4.
More Open Source News
• Banks Are Increasingly Turning to Open
Source Projects. Here's Why.
• It’s Time to Enlist Security Champions to Fuel
Agile Development
• Virgin Hyperloop One Joins GENIVI Alliance
• Assume Every Application is an On-Premises
Application
• From Consumers to Contributors: The
Evolution of Open Source in the Enterprise

5.
via MSSP Alert: Internet of Things (IoT) security
bulls might not like this one: You can’t count on
beating the hackers — there’s too many
unsecured devices to bolt down — but you may
be able to contain them. How so? By
concentrating on the big stuff, according to
security experts Charlie Miller and Chris
Valasek, in remarks delivered at the Black Duck
Software’s Flight 2017 conference in Boston.
IoT Security Pros: You Can’t Beat the
Hackers You Can Only Contain Them

6.
It Wasn’t an Equifax Toaster That
Stole 145M People’s Personal Data
via Black Duck blog (Fred Bals): The
good news? Bad guy hackers are lazy, and
will move on to easier pickings when
confronted with good security. The bad
news? Good security is often expensive,
and not necessarily a cost businesses are
enthusiastic about adding to product prices
and passing on to customers. Those were
key takeaways from security researchers
Charlie Miller and Chris Valasek’s keynote
at last week’s FLIGHT 2017 conference.

7.
via TechCrunch: US-CERT, the Department of
Homeland Security team responsible for
analyzing cybersecurity threats, has posted a
warning about cyber-attacks by the North
Korean government, which it collectively refers
to as “Hidden Cobra.” The technical alert from
the FBI and Department of Homeland Security
says a remote administration tool (RAT) called
FALLCHILL has been deployed by Hidden Cobra
since 2016 to target the aerospace,
telecommunications and finance industries.
U.S. Government Issues Alerts About Malware
and Ip Addresses Linked to North Korean
Cyber Attacks

8.
Known Security Vulnerabilities Are a
Hacker's Guide to an IoT Breach
via IoT Journal: More than 90 percent of the
software written these days integrates open-
source code. Such code is used in IoT
firmware, operating systems, network platforms
and applications. This trend will only continue
to grow because, by leveraging open-source,
developers can lower assembly costs and
quickly add innovations, thereby saving months
or years of originally required development
time. Whether software code is proprietary or
open-source, it harbors security vulnerabilities.

9.
via the Verge: Besides cost, there are other
compelling explanations for why the military
might want to go open source. One is that
technology outside the Pentagon simply
advances faster than technology within it, and
by availing itself to open-source tools, the
Pentagon can adopt those advances almost as
soon as the new code hits the web, without
going through the extra steps of a procurement
process.
The Pentagon Is Set to Make a Big Push Toward
Open Source Software Next Year

10.
Banks Are Increasingly Turning to
Open Source Projects. Here's Why.
via American Banker: The weakest points of most software
programs are the flaws or bugs that can be exploited by hackers
and cybercriminals. Recent case in point: the —$300 million worth
of Ether locked in Parity digital wallets because a coder was able
to poke around in Parity’s digital wallet and kill a smart contract,
thus freezing all wallets that smart contract governed. The Equifax
breach is another example: a weakness in an open source
software package called Apache Struts allowed hackers to steal
millions of sets of consumer data. (A patch was available for the
Apache software, but Equifax didn’t apply it.)

11.
via Synopsys blog (Brendan Sheairs): A
traditional software security group (SSG) isn’t
equipped to apply security activities to Agile
development environments effectively. Applying
security to agile processes requires the injection
of security-related people, processes, and
testing activities at a sprint tempo… So how can
we inject security into Agile development?
It’s Time to Enlist Security Champions to
Fuel Agile Development

12.
Virgin Hyperloop One Joins GENIVI Alliance
via Business Insider: The GENIVI Alliance, a collaborative community
of automakers and their suppliers developing open software for in-
vehicle infotainment (IVI) and the connected car, today announced that
Virgin Hyperloop One, the only company in the world that has built and
successfully tested a full-scale hyperloop system, has joined the
Alliance to work with the strong GENIVI ecosystem and leverage its
proven history of open source software collaboration.

13.
via Black Duck blog (David Znidarsic): If prevention or
knowledge of an application’s required client-side
installations is important to you, you need to do a technical
analysis of what is and what is not installed; don’t rely on
marketing materials and naïve categorizations. In the
absence of such an analysis, assume every application you
use requires some type of client-side installation.
Assume Every Application is an
On-Premises Application

14.
From Consumers to Contributors: The
Evolution of Open Source in the Enterprise
via Computer Weekly: The 11th edition of Black
Duck Software’s annual report into enterprise
open source usage revealing that 66% of the 819
respondents regularly contribute to open source
projects. Also, just under half (48%) said the
number of individual contributors within their
organisation was set to rise.

15.
Subscribe
Stay up to date on open source security and cybersecurity –
subscribe to our blog today.