log4j

Learn the truth behind the Log4j and the Log4shell vulnerability. Guest Rob Fuller explains the details behind the Log4j vulnerability and what is you need to do to protect yourself. We talk about all the information that is coming up and how to weed through the miss information. 

Rob's News Recommendations. 
📰 https://www.zdnet.com/

🥇Get 1 on 1 Career Coaching from the Bearded I.T. Dad: https://thebeardeditdad.com/career-coaching/ 🥇

💗WAYS TO SAY THANKS & SUPPORT THE CHANNEL💗
📣Rate and leave a review, Share the Podcast, and Subscribe to the channel: This costs nothing but helps a lot!
🌕Channel Membership: Get exclusive live streams, extra content, a loyalty badge, and more! This also helps keep the caffeine flowing. https://www.youtube.com/c/TheBeardedITDad/join
☕Buy Me a Coffee @ https://www.buymeacoffee.com/thebeardeditdad
💲Get access to exclusive content @ Patreon https://www.patreon.com/thebeardeditdad
👕The Bearded I.T. Dad Merchandise: https://thebeardeditdad.com/shop/

---------------

If you would like to be on the show or would like to suggest a speaker please fill out our forum: https://forms.gle/9JkrYPCPnKG7kHJk7

---------------
Youtube: https://www.youtube.com/@TheBeardedITDad
Discord: https://itdad.info/Discord
Facebook: https://www.facebook.com/TheBeardedITDad
Twitter: https://twitter.com/TheBeardedITDad
Website: https://thebeardeditdad.com

Guest:

• Dr Nicky Ringland, Product Manager for Open Source Insights, Google

Topics:

• Let's talk Open Source Software - are all these dependencies dependable?
• Why was log4j such a big thing - at a whole ecosystem level?
• Was it actually a Java / Maven problem? Are other languages “better” or more secure?
• Is another log4j inevitable? What can organizations to minimise their own risks?

 Resources:

• Google Cloud Next 2022
• Open Source Insights at deps.dev
• Blog at blog.deps.dev with posts on Understanding the Impact of Apache Log4j Vulnerability and what happens After the Advisory
• Assured Open Source Software service

Josh and Kurt talk about the challenge of dealing with vulnerabilities at a large scale. We tend to treat every vulnerability equally when they are not equal at all. Some are trees we have to pay very close attention to, and some are part of a larger forest that can't be treated as individual vulnerabilities. We often treat risk as a binary measurement instead of a sliding scale.

Show Notes

• gsd.id
• The Register OpenSSL story
• OpenSSL bug

Adam Baldwin (@adam_baldwin)
Amélie Koran (@webjedi)

https://logging.apache.org/log4j/2.x/license.html

https://www.theregister.com/2021/12/14/log4j_vulnerability_open_source_funding/

https://www.zdnet.com/article/security-firm-blumira-discovers-major-new-log4j-attack-vector/

F/OSS developer deliberately bricks his software in retaliation for big companies not supporting OSS.
https://twitter.com/BleepinComputer/status/1480182019854327808

https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

https://developers.slashdot.org/story/22/01/09/2336239/open-source-developer-intentionally-corrupts-his-own-widely-used-libraries

Faker.js - https://www.npmjs.com/package/faker  Generate massive amounts of fake contextual data
Colors.js - https://www.npmjs.com/pafaker  - npm package/colors get color and style in your node.js console

https://abc7ny.com/suspicious-package-queens-astoria-fire/6425363/

Should OSS teams expect payment for giving their time/code away for free? What are their expectations

Should open source projects be aware of how popular they are? What happens when they reach a certain level of popularity?

OSS Sustainability - https://github.blog/2019-01-17-lets-talk-about-open-source-sustainability/

https://webjedi.net/2022/01/03/security-puppy/

Apparently, “Hobbyists” were the bane of a young Bill Gates: (can you https://en.wikipedia.org/wiki/Open_Letter_to_Hobbyists

https://en.wikipedia.org/wiki/History_of_free_and_open-source_software
History of open source

Licensing Overview: https://youtu.be/Eu_GvrSlShI  (this was a talk I gave for Splunk on this --AK)

Event-stream = https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets

https://libraries.io/
Libraries.io monitors 5,039,738 open source packages across 32 different package managers, so you don't have to.

On this inaugural episode of the show, veteran security leader and world-famous podcaster: Josh Bressers joins host Kim Weins to discuss the log4j security vulnerability and the way forward in preparation for the next zero-day attack.

HAPPY NEW YEAR!!! Our first week returning covers: iOS "DoorLock" vulnerability, Apache Log 4J, US Cyber Command Intel, Ransomware, and more!

In this weeks episode, the cybersecurity experts Bryan Hornung, Reginald Andre and Randy Bryan will discuss how hackers are mailing malicious USB flash drives to spread ransomware. Next, the team discusses how external hackers breahc 93% of organizations networks and gained access to their internal systems within two days. Then, the team goes over how many agencies were unable to patch Log4J because of EoL systems. Lastly, the experts discuss how American schools still remain vulnerable to cyberattacks.

Adam Baldwin (@adam_baldwin)

Amélie Koran (@webjedi)

Log4j vulnerability

https://logging.apache.org/log4j/2.x/license.html

https://www.theregister.com/2021/12/14/log4j_vulnerability_open_source_funding/

https://www.zdnet.com/article/security-firm-blumira-discovers-major-new-log4j-attack-vector/ 

F/OSS developer deliberately bricks his software in retaliation for big companies not supporting OSS. 

https://twitter.com/BleepinComputer/status/1480182019854327808

https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

https://developers.slashdot.org/story/22/01/09/2336239/open-source-developer-intentionally-corrupts-his-own-widely-used-libraries

Faker.js -  https://www.npmjs.com/package/faker Generate massive amounts of fake contextual data

Colors.js -  https://www.npmjs.com/pafaker - npmckage/colors get color and style in your node.js console

https://abc7ny.com/suspicious-package-queens-astoria-fire/6425363/

Should OSS teams expect payment for giving their time/code away for free? What are their expectations

Should open source projects be aware of how popular they are? What happens when they reach a certain level of popularity? 

OSS Sustainability - https://github.blog/2019-01-17-lets-talk-about-open-source-sustainability/

https://webjedi.net/2022/01/03/security-puppy/

Apparently, “Hobbyists” were the bane of a young Bill Gates: (can you https://en.wikipedia.org/wiki/Open_Letter_to_Hobbyists

https://en.wikipedia.org/wiki/History_of_free_and_open-source_software

History of open source

Licensing Overview: https://youtu.be/Eu_GvrSlShI (this was a talk I gave for Splunk on this)

Event-stream = https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets

https://libraries.io/

• Libraries.io monitors 5,039,738 open source packages across 32 different package managers, so you don't have to. 

Note: Don't miss Killing IT Live - January 19th at 9am Pacific - Register now at https://killingitlive.com 

Topic 1: The “Cyberdemic” will continue, according to Experian.

Record breaking number on cyber breaches. Many elements conspire against us. What can you do?

Link:
https://www.bloomberg.com/press-releases/2021-12-06/the-cyberdemic-will-continue-according-to-the-2022-experian-data-breach-industry-forecast 

Topic 2: OpenSource and the internet. Solid code, to a point.

Should we have a way to hold someone responsible? Is a "Software Bill of Materials" a good idea or bad idea?

Links:
https://www.technologyreview.com/2021/12/17/1042692/log4j-internet-open-source-hacking/

https://www.linkedin.com/pulse/sbom-good-intentions-bad-analogies-uglyoutcomes-alex-gantman/ 

Topic 3: Winning by being human?

When cyber criminals are doubling down on AI and expensive programming, perhaps we need to take a lower-tech approach to defeating them. Here are some options.

Link:
https://www.wsj.com/articles/magnus-carlsen-ian-nepomniachtchi-world-chess-championship-computer-analysis-11639003641

-----

Sponsor Note: Calyptix

Cyber security for small business is overwhelming. Unprecedented threats, escalating rhetoric and limited resources. So lean on your community. The Calyptix Community Shield automatically unites small businesses and raise the costs and challenges for cybercriminals by harnessing threat intelligence from our community. If they attack any one of us, everyone gets the benefit with Community Shield.

An example? A log4J blocklist for scanners and exploits, rolled out specifically for outbound events - All for no added cost. By working together, we will prevail. Learn more at https://calyptix.com and tell them we sent you.

:-)

Josh and Kurt talk about the question will we ever fix all the vulnerabilities? The question came from Reddit and is very reasonable, but it turns out this is REALLY hard to discuss. The answer is of course "no", but why it is no is very complicated. Far more complicated than either of us thought it would be.

Show Notes

• Will cyber security vulnerabilities ever "stop existing" ?