I’m just getting caught up about it at a high level at the moment. Since transitioning to the beer world, I don’t get immediate exposure to threat intel as when I was in the IT world. I’m wondering if the average person should take additional steps such as uninstalling Java? Some software vendors that I work with have pushed patches, but useful best practices for end users from SSPs has been rather sketchy to this point.
It was definitely dumb luck, but I began moving all IOT devices to the guest network at home about a month ago. Apparently a lot of that stuff is running Apache. Also, my partners in the IT world are saying that they finally have enough leverage to remove Java and Flash ← didn’t know that was still a thing.
(usual caveats, I am not a lawyer, do not eat cheese before bedtime etc).
So log4j is a logging diagnostics library, something used to record info in running apps. It’s really common in the server world on the Java side. A good explanation of the issue is here:
If you run Apache and it’s public internet facing then it’s a serious issue, just because it’s such an old and fundamental utility library that one package you’re using is probably not updated yet. The exploit is around user input being able to cause a remote execute, meaning that things like environment variables server-side can be leaked.
If you use Windows and don’t run an Apache server you’re probably ok. If you run a Linux server with Apache you need to update. I don’t know if it’s worth removing Java from a regular client PC just for this.
For the forum here we don’t need to update here because it uses a Ruby run-time and nginx server.
The main articles site was down yesterday for a bit while the host we use patched it up. That doesn’t have people’s logins or anything super important that isn’t backed up, so the worse we might see is a really biased review written by a hacker, so let’s keep an eye out for that.
As far as I know, that will not fix the issue. Log4j doesn’t come with Java but is a library developers add to improve their logging capabilities … so they add it to products.
For consumers … protect/sandbox your IoT devices because there are a surprising number of those with Log4j in it, intentionally or not, but other than that, this is generally not a consumer issue. Generally. That is not legal guidance. Patch everything every second of the day.
The company I work for had me spend about 3 days investigating everything that we have in the IT inventory. In our case (C/C++ development) none of our products were affected directly. We use Jira, Confluence, Bitbucket and a bunch of other development support services. We found log4j, an old, old versions that is not affected by that particular vulnerability in a lot of places but we only found the 2.x version in ElasticSearch (a bundled component of Bitbucket) and … our wireless repeaters. Yeah.
Others in the companies under our parent are not having a nicer time. They do a lot of web development and java is in a lot more places than they thought.
I really appreciate both of you guys chiming in with your thoughts. I suppose that the take away for businesses is to verify that your software vendors, hardware vendors, and network admins are taking action to patch where needed, and for home administrators use this as a time to review, patch, and segregate where needed.
I’ve moved most of our IOT devices to the guest network, which only allows access to the Internet. The goal is to only have home and work computers, router, access points, and printers with LAN access. I haven’t decided what to do with the kids’ Chromebooks. Like phones and tablets, they are fairly hardened, but the kids haven’t developed a healthy dose of skepticism yet. And they continue to surprise me where their inquisitive minds will take them technology wise. I should probably put them on the guest network as well along with a monochrome laser printer.
Here is a list of IOT devices that I’ve removed from the LAN. I know, they should have never been on the LAN in the first place. Smart thermostats and electrical outlets/switches, TVs, streaming boxes and sticks, PS4 and Switch gaming consoles, smart phones, smart watches, tablets, cameras, alarm system, irrigation controller, and an HNT hotspot. The list is long, yet I have the feeling I have forgotten something. Looking at you coffee maker.
The S in IOT stands for Security after all! (I know I keep making that joke, but it still works)
A next step on from network isolation using a guest network would be a Pi-hole, either on a spare hub PC or Raspberry Pi for fun. Using that as your DNS server for everything helps with Smart TVs, reduced ad traffic and, of course, Extra Curious Kids (ECKs) and the like.
If they can set up their own local DNS tunnel then they probably are past any tech solution. Plus it’s fun to watch what your fridge is trying to talk to.
For those extra curious, here’s a good write-up of the exploit in action. It’s rare to see a decent takeover in steps, as usually there’s a cryptic CVE and people then have to guess what happens. This Log4j is so widespread there is no point in shutting the barn door after the bad LDAP query is out.
I won’t post it here, but the most fun (?*) exploit I’ve seen so far was someone printed a t-shirt with a QR code with the exploit on it. As most CCTV cameras read, decode and then log what they see…
(I doubt it works completely, but I liked the effort)
