Top | |
Newsletter 12/20/2021 | Back to Contents |
Log4j. Pt.2. Mars is safe (for now). Don't know about Earth. ED NOTE: As the digerati attempts to get the rest of the world to come to grips with what might be the very serious long-term implications of the Log4j vulnerability, the digerati is learning what I learned a long time ago. To quote that late great Philosopher King, Phil Ochs,
But Monopoly is so much fun, I'd
hate to blow the game
12/14/2021 “If I asked you, ‘hey show me the salt you have in your house,’ you would probably walk up to the salt you have sitting on the table, maybe some you have hidden in the cabinet,” Cofrancesco said. “What you probably wouldn’t do is show me ‘hey, here’s my Panera sandwich, or here’s the soup I have, or here’s the juice I have, my powerade.’ All those other things have salt in it, it’s just obscured by the fact that there are a bunch of other ingredients. That is precisely what is going on here.” Before you do anything today,
BACKUP! BACKUP! BACKUP! And then DISCONNECT
YOUR BACKUP DRIVE FROM YOUR COMPUTER.
12/20/2021 As the tech world tries to come to grips with the long term fallout from the Log4j vulnerability, the search for embedded Java Libraries, in too my applications to mention here, continues. Consumer products from both Apple and Microsoft are vulnerable to a remote execution attack to a JAR file handler in their products. A Microsoft posting of Dec. 16 is most illustrative of the JAR file issue. JAR files and their remnants are hard to find. As of this writing (12/16/2021), discoverability [in Microsoft 365 Defender] is based on the presence of vulnerable Log4j Java Archive (JAR) files on Windows 10, Windows 11, and Windows Server 2008, 2012, and 2016. Cases where Log4j is packaged into an Uber-JAR or shaded are currently not discoverable, but coverage for these instances and other packaging methods is in-progress. Support for Linux and macOS is also in-progress and will roll out soon.
The similarities with Covid have also not gone unnoticed.
The linked article is worth reading to gain some clarity
on the how and why of spread. "It's not unreasonable to suggest
that immunology and cybersecurity could learn a lot if they talked more.
Sometimes, though, the parallels are far too close for comfort."
Every new patch fails to permanently fix the problem; as does each new
covid mitigation. At the time of the announcement, we were at
Apache Log4j Version 2.14.
In less than a week, it is now up to version 2.17.
But, hey, who's counting? WebSockets have been a part of most common browsers over the last 10 years and are used for a number of tasks as users browse. Commonly used for applications like chat and alerts on websites, WebSockets are great at passing timely information back to the browser and allowing the browser to quickly send data back and forth.
All it takes to exploit the WebSockets vulnerability is a simple
Javascript. The WebSockets vulnerability requires no user
interaction to be exploited. The Websocket vulnerability will
infect systems that are known to the OS as "localhost."
"The
client itself has no direct control over WebSockets connections. They
can silently start when a webpage loads. Don't you love the word
"silently" in this context? I know I do." I am
not the only snarky writer in the digerativerse. (I can make up
new tech terms, too.)
A major payroll provider used by thousands of businesses in the
United States, including government agencies, is reporting that it
expects to be down for “weeks” due to a devastating ransomware attack.
A good survey of the many ransomware attacks that are being facilitated by the Log4j vulnerabillity can be read here. Ransomware attacks usually tick up during the holiday season for a variety of reasons. Log4j has made this a much easier proposition for the crooks, though. Whatever the vulnerability source, Erich Kron (security awareness advocate at KnowBe4) notes that the holiday vacation period for many companies is when cyber criminals can be expected to pull double shifts: “Ransomware gangs often time attacks to take place when organizations are short staffed due to holidays, or when they are extremely busy, with the hope that the attack will take longer to spot and response times will be much slower. In addition, the pressure to service customers during these crucial times can be very high, making it more likely that the victim will pay the ransom in an effort to get operations back up and running quickly … Unfortunately, the Grinch has impacted Christmas for a lot of people using the KPC services (ed. Kronos Payroll Service). Hopefully, this does not result in a subscription to the ‘Jelly of the Month Club’ in lieu of the annual bonuses.”
So you see, none of this is propeller head theoretical nonsense.
Real people are experiencing real pain in real time. Kids that had
little Christmas morning joy last year may now have even less joy this
Christmas. And why is this? The reason is that so many companies
were too cheap and too short sighted and too ignorant and too uncaring
to really educate or concern themselves about the real world dangers of real world
malware. Just as those who refuse to be vaccinated are primarily
responsible for the continuing scourge of Covid, these IT professionals
who implemented in their applications software well known to be
vulnerable to exploitation of these well known vulnerabillities are
responsible for what is happening now.
What! You think we're stupid? We're
NASA. What we do is Rocket Science.
So, is the inverse of that statement true? Gerald Reiff |
Back to Top |