2020 cybersecurity risks: Insecure security tools, supply chains, abandonware

Abandonware is something that your regular review (you DO have a review of IT assets?) should pick up. Think of it as spring cleaning for software. I have some very old platforms that I look after for clients that I regularly flag as “you should upgrade/migrate this”. How does it make you feel when you learn that “two guys named Steve” are maintaining part of your critical systems on a part time basis?…:

Open Hardware Monitor is a free open source software program that monitors temperature sensors, fan speeds, voltages, load and clock speeds of a computer. Tens of millions of computers use Open Hardware Monitor in their monitoring systems, including HP Touchpoint Analytics. When examining the GitHub repo, many unacknowledged issues were detected. It also appeared that the software itself had not been updated in a year or more. This is a concern because the code runs on so many endpoints and enjoys very high access privileges.

Another example: Heartbleed – a security bug in the OpenSSL cryptography library – exposed nearly all encrypted Internet traffic to a real security risk.

OpenSSL is a cryptography library widely used by internet servers to encrypt activities of users and to encrypt traffic to and from websites. When the existence of the Heartbleed vulnerability was revealed, we’ve all become uncomfortably aware that the security of such a critical element of the global online infrastructure depends on two guys named Steve who looked after it on a part-time basis.

Original article here