Hey there everyone, your friendly neighborhood tech pede here. Not sure how much attention people here pay to tech news but over the past two days there has been a bit of info that's been trickling into even some mainstream news sites about a recently discovered vulnerability called Log4Shell. These sites have been saying how this vulnerability has the potential to be pretty bad. As a guy that's worked in tech for pretty much all my life, let me rephrase that for them. This vulnerability has the potential to be catastrophic.
I work in the civ, non-gov't sector and I have more NDAs signed than I can count so I can't go into specifics of clients or ongoing cases that we're involved in. But we see cases come in where massive companies get their data stolen and ransomed for millions and no one at my work really thinks twice about it because we work with this stuff every day. But this one has us all worried.
What is this vulnerability?
There's a couple jargon filled writeups here:
But long story short, in order for a website or service to be accessible via the Internet, it needs a web server in place. The most widely used one of these is a web server called Apache that's been around for about 25 years. Every web server (and really any application on a computer) keeps a log of everything that it does in order to track errors, see unauthorized access, that kind of thing. This exploit specifically targets this built-in logging feature in Apache in order to gain full access to the web server and drop pretty much anything it wants on it.
So how bad is it?
Bad. Really, really bad. Bad enough that as soon as it was released, it immediately hit the ceiling as a 10.0 out of 10.0 on the CVE index and that was only because the index didn't go higher. For reference, the HAFNIUM exploits from this past February/March that caused hundreds of thousands of mail servers across the globe to have their data stolen and their systems crashed didn't even reach that mark, with most of the affected CVEs for that exploit coming in at 7.8.
Unlike the HAFNIUM exploit, this vulnerability appears to have the potential to be a C2C (computer to computer) worm, which means that once it's infected a web server it can spread uncontrolled to basically any device connected to that web server.
So it only affects these web servers, right?
Not necessarily. Evidence is still coming out but it appears as though this may be able to spread to any device that communicates with an Apache-based web server. The biggest example right now is Minecraft, which released a zero-day patch just yesterday to help protect against this. Basically if you don't have that patch then if you connect to a multiplayer server then you're vulnerable.
But it's not just services like Minecraft. A lot of applications also have what's referred to as integrated web servers, which is where the Apache web server does not exist independently of the application. If it were to be independent, then you could just patch the web server and call it a day. But if it's integrated you need to re-code portions of the ENTIRE application in order to get it updated to protect against this. There's not enough manpower in the world to do this.
Look at the numbers of just websites running Apache alone. There are over 1.7 billion websites in the world and about 32% are known to run Apache. The actual number is most certainly higher. Even in a best-case scenario, we're looking at over 500 million websites that are affected by this.
But again, it's not just websites, it's services as well...especially services that run on Java. You know that fancy satellite radio in your car? That runs on Java and reports to a web server. You know that new TV you got on Black Friday? Yep, that runs Java and reports to a web server. That fancy new smart plug that lets you turn lights on and off from your phone? Take a guess.
Seeing why we're worried?
Well, crap.
Don't worry, it gets worse! So far there have been a list of about 150 international backbone companies that have been seen to be affected by this. These companies range from everything from home devices to antivirus and backup software. Some companies such as Kronos (UKG) have already had their services nuked...whether it's by this vulnerability or not isn't known yet. But Kronos is saying that it will be "several weeks" before things are back functioning again.
https://www.theregister.com/2021/12/13/ultimate_kronos_group_ransomware_attack/
So once this hits a server, it hits FAST and it hits HARD and it goes DOWN.
So these attacks are already happening?
They haven't even really started, that's the fun part. There has been some evidence that these have been circulating to some extent in the wild but there hasn't been a mass-scale attack like we've usually seen. Current insiders are estimating that a worm that can fully take advantage of this C2C spread will be completed and deployed within 24-48 hours:
https://nitter.net/Laughing_Mantis/status/1470165580736987137
So what should I do?
If you're in tech, get your Apache web servers updated immediately. Get off this site and just do it. If you have kids that are running a Minecraft server (hell, just even playing Minecraft on PC in general) then make sure it's updated. Microsoft has more info here:
https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition
If you're just a regular tech user then make sure you have a few good, long books just in case things go FUBAR. And strap the fuck in.
Somedays I feel like the Violinist on the Titanic. Just playing along as the ship sinks and slowly starts breaking apart.
Whatever happens. Gentlemen it’s been a privilege memeing with you.
So I guess this means we are going back to the 1880’s whether we want to or not.
Ha lol I have the lamps but no typewriter 🙁 dang!
Dang it! I COMPLETELY forgot about a typewriter so I can start writing my memoirs during the cyber apocalypse! 🤦🏼♀️
pen & paper also work. ....Or pencil I suppose
typewriter memes
good luck finding ink ribbons!
I have a re-inker and a huge bottle of ink. It works for typewriter ribbons as well as old dot matrix printer ribbons. In fact it was actually designed for the printer ribbons.
Amazon has new ribbons, and they aren't super expensive. Just google "typewriter ribbons."
Just remember when your buying a Kerosene lamp to get one with the safety valve so they don’t explode and set fire to your house :-)
Standard old-fashioned kerosene lamps don't explode. They aren't enclosed tightly in any way. There is a glass container to hold the kerosene. There is a metal wick holder on top of that. The wick sticks through that down into the kerosene. There is an adjusting knob to raise and lower the wick. Nothing is sealed. Then there is a glass shade to block drafts and allow the light to shine out.
I have been around kerosene lamps my whole life. I'm looking at three across the room from me right now.
Here's one for just $5.99: https://www.hobbylobby.com/Home-Decor-Frames/Candles-Fragrance/Diffusers-Oils/Oil-Lamplight/p/80645858
One thing you might consider is getting lamp oil instead of kerosene, especially if you have respiratory problems and plan on using one a lot. My plans, if things go south, is to go to bed when it gets dark and get up when it gets light. That dispenses with the need for much lighting. Candles will be sufficient then.
More like 8 thousand BC. Yep more like that.
When you build a system that can be easily destroyed. It gets destroyed.
Why that far back? our minds and human positive ingenuity will still be intact, please we have the knowledge and we can overcome adversity we just need new and better ways to achieve without the chains of corrupt government binding us.
^^ THIS. ^^. Touche’
The meme will be with you, always
NEVER LET GO!🐸
Wow thats a visual i totally understand
Lmfao bro I’ve been saying that to the fam and friends lately hahaha great minds think alike. And at least we are fighting and standing our ground. Not asleep sheeple