Can Mirai Change Corporate Attitudes to IoT Security?

Last Friday marked a new milestone for DDoS attacks and the insecurity of IoT software. Don't let a good opportunity go to waste.

Read More


Akamai Discovers Public Open Source Vulnerability Being Exploited in 2M IoT Devices

Last week, Akamai reported that hackers are exploiting a 12-year old OpenSSH vulnerability to mount mass-scale attacks from millions of compromised IoT devices, including routers, cable modems, satellite TV equipment, and IP-connected cameras, DVRs and NAS (Network Attached Storage) devices.

Read More


Lexumo CTO/Founder to Speak at IoT Security Summit

If you're planning to attend the IoT Security Summit in Boston next week, please stop by Booth #202 to say hello and meet the Lexumo team. Brad Gaynor, our CTO and co-founder, will also be speaking on two panels, including one with the former CIO/CISO/CTO of General Electric (GE)

Read More


BASHLITE, BusyBox, and Botnet Armies

You may have read about the massive botnet army of 1.5 million IoT devices that generated the world’s most powerful DDoS attack to date. Building an army usually requires the formidable resources of a nation-state – and an attack of this magnitude was previously nearly impossible for all but the most sophisticated and powerful actors to carry out. But DDoS attacks have become the Great Equalizer between private actors and nation-states.

Read More


The Insecurity of Medical Devices

The unique risks faced by medical-device manufacturers was brought home recently with a report by security researchers claiming that St. Jude Medical heart devices are vulnerable to "Homeland"-style cyberattacks. The report documents several critical vulnerabilities that it claims show “the company does not know how to do device security, or does not care about it.”

Read More


Shifting Left — and Right — with Open Source

You’ve probably heard about “shifting left” in the development process. But how do you shift left when you’re incorporating someone else’s code — such as OpenSSL, glibc, BusyBox, and bash? And how do you “shift right” when researchers discover new open source vulnerabilities on a regular basis, and you need to figure out which of your products in the field are affected — and how to quickly fix them?

Read More


Why Technology Designed for License Compliance Doesn’t Work for Security (Yet the Reverse is True)

You wouldn’t ship a product with known vulnerabilities, would you? While it seems simple on the surface, identifying known vulnerabilities in open source—exactly those vulnerabilities attackers are actively seeking to exploit—is actually a fairly difficult problem.

Read More

The Problem With Vulnerability Databases: They Don’t Identify Vulnerable Code

Vulnerability databases such as MITRE’s common vulnerabilities and exposures (CVE) do a pretty good job identifying vulnerable software packages and their vulnerable versions. The problem is vulnerability databases do a poor job of actually identifying vulnerable code.

Read More

Free Open Source Software Isn’t Free

Software is asymptotically approaching open source. So if software is eating the world, then free open source software is making it happen.

Read More