Security News

Organizations Warned About DoS Flaws in Popular Open Source Message Brokers
2021-06-08 15:02

Organizations have been warned about denial of service vulnerabilities found in RabbitMQ, EMQ X and VerneMQ, three widely used open source message brokers. Message brokers enable applications, systems and services to communicate with each other and exchange information by translating messages between formal messaging protocols.

DoS vulns in 3 open-source MQTT message brokers could leave users literally locked out of their homes or offices
2021-06-08 13:05

Synopsys Cybersecurity Research Centre has warned of easily triggered denial-of-service vulnerabilities in three popular open-source Internet of Things message brokers: RabbitMQ, EMQ X, and VerneMQ. The message brokers, responsible for handling data sent to or from IoT devices like smart home hubs and door locks, all share a common protocol: Message Queuing Telemetry Transport, first released in 1999 for monitoring oil pipelines and since repurposed for a variety of home and industrial automation tasks. Any disruption in MQTT messaging could potentially leave users locked out of their homes and offices.

New Google Tool Helps Developers Visualize Dependencies of Open Source Projects
2021-06-07 12:06

Google has launched a new experimental tool designed to help application developers visualize the dependencies of open source projects. In an effort to help developers gain a better perspective into the packages their open-source projects rely on, Google has introduced Open Source Insights, an exploratory visualization site that offers a view of dependencies, in an organized and accessible way.

New Google tool reveals dependencies for open source projects
2021-06-07 10:25

Google has been working on a new, experimental tool to help developers discover the dependencies of the open source packages/libraries they use and known security vulnerabilities they are currently sporting. Open Source Insights is a Google Cloud Platform-hosted tool that's accessible via a website into which users can enter the name of specific open source packages and get an overview of how they are put together.

Have I Been Pwned goes open source, bags help from FBI
2021-06-01 01:47

Last year, the man Down Under announced plans to make key portions of the system open source for others to pick up, use, and improve. Now the Pwned Passwords code base is available from GitHub under a BSD three-clause license.

AlmaLinux OS 8.4: A free open source alternative to CentOS
2021-05-31 01:30

The AlmaLinux OS Foundation announced availability of AlmaLinux OS 8.4 just one week after the release of Red Hat Enterprise Linux 8.4. "This is our second stable release, since the project was announced in December," said Jack Aboutboul, community manager of AlmaLinux.

Elastic broadens support for osquery, the open source host instrumentation framework
2021-05-31 00:30

Elastic announces new updates across the Elastic Security solution in its 7.13 release to broaden support for osquery, the open source host instrumentation framework, with a new host management integration for Elastic Agent and unified analysis of osquery host data. The osquery host management integration, now in beta, enables security teams to use osquery results to address cyber threats without the complexity or cost of a separate management layer.

How to achieve persistent SSH connections with the open source MOSH
2021-05-27 14:54

You don't want that, which is why you should employ a tool like MOSH. MOSH stands for Mobile Shell and makes it possible for you to keep a persistent SSH connection-even if you change networks or your connection momentarily drops. Under the hood, MOSH logs the user in via SSH and then starts a connection on a UDP port between 60000 and 61000, to keep the connection persistent.

Open-source tool Yor automatically tags IaC resources for traceability and auditability
2021-05-27 08:00

Yor is an open-source tool from Palo Alto Networks that automatically tags cloud resources within infrastructure as code frameworks such as Terraform, Cloudformation, Kubernetes, and Serverless Framework. Yor helps security teams trace a security misconfiguration from code to cloud, automates the tedious work of manually tagging cloud resources, and enables highly effective GitOps across all major cloud providers.

What to do about open source vulnerabilities? Move fast, says Linux Foundation expert
2021-05-26 11:34

Automated testing and rapid deployment are critical to defending against vulnerabilities in open source software, said David Wheeler, director of Open Source Supply Chain Security at the Linux Foundation. Wheeler referenced a 2021 report by software security and IoT company Synopsys which said there are an average of 528 open source components per application, that 84 per cent of codebases have at least one vulnerability, and the average number of vulnerabilities per codebase is 158.