After a while, it finally arrived. The first weekend of real vacation in almost two years. Wine, food, skis in the car, social network notifications muted and out of office activated, what could possibly go wrong? I got the answer once back home... The internet was completely on fire because of CVE-2021-44228.
As soon as I understood it, it was the scariest vulnerability I have seen since I work in security. I started checking everything for my clients, sending emails, contacting service providers to check and patch everything as soon as possible. After this hell of a day, I checked my phone and I had a good quantity of unanswered texts from friends who were with me on the mountains the day before and saw me disappear behind my laptop. Evidently the big question came...
Can you please explain to me in simple words why you've been so busy just after a couple of days of holidays? I really want to understand what happened and what is the impact of this invisible bomb.
Explaining a vulnerability about a Java library in simple words?!? The question devastates me... (yes, in those days I finally had time to open Netflix and watched "Tear along the dotted line").
I realized that it was not that easy to explain as it was not the classic vulnerability that may impact just your laptop, your phone, or a specific application. It's... bigger, and more intangible. I tried to escape his question with a bunch of buzzwords. I also tried to send him a couple of Tweets that tried to explain what happened. After that, I tried with memes. It didn't work. He was determined to understand. There was no way out. He is not technical and he doesn't want a technical explanation (understandably)... So I surrendered. I earned time and I opted for a video call where in an hour I would explain everything...
You know what screws are right? Screws are more or less everywhere. Just imagine a world where there is a very famous, small, screws producer. He offers for free his specific type of screw and its instruction booklet to everybody that needs it for years. So... since these screws are free and everybody can take them and they work very well... everybody started to use them. From big companies to small ones... and also the bricolage fan. Companies that make doors use them. Companies that used to make locks, safes, car doors, drawers, used them since those screws were free, well made, and apparently safe.
One day, a man, playing with magnets, suddenly discovered an easy way to unscrew them without needing the driver. He posted what he discovered on Twitter and obviously, lots of people started to take advantage of it in different ways. Since those screws were used everywhere it was possible to open Tim Cook's doors as easily as the door of your neighbor. Obviously, Tim Cook's house has better alternative counter-measures than your neighbor, but the principle is this. The problem is not only about the door... it also may be your drawer. That's behind the door. Exploiting that screw is so easy, that now each employee that's around the office can open the drawer with a very small effort. That specific type of screw is used for plenty of stuff and infrastructures, so, the problem is huge.
Plenty of businesses were not safe anymore from one day to another. An army of handymen started to patch and change that type of screw with a new one, trying to be faster than whoever would have tried to exploit the situation.
But... there's a lot of these screws. There are the ones that are hard to change because they have been in place forever. The forgotten ones are a problem too. Companies, often, lost the details of which specific screw they used.. so this is a problem too. That kind of screw was also used in a load-bearing beam of buildings that you can't touch because it would be very dangerous to modify them.
That's scary. So, what should I do on my side? I have my business and now I'm worried, but I don't know if and how I have to change these screws. It's not like updating my iPhone after a severe bug.
You are right, I said to him, It's not as easy as an iPhone upgrade. If you run a business, ask your handyman to check for those screws. Send a couple of emails or, if you have an IT provider or Security department ask them if they already checked and patched everything, including any third-party software.
Cool stuff. I understand the problem and I'm gonna verify everything with my IT department as soon as possible. Thanks for the explanation. You should write an article about it, you know? It may be useful to somebody else.
Originally posted here: https://www.linkedin.com/pulse/log4shell-explained-your-non-technical-friend-andrea-barracu/
About the Author
Information Security Consultant with a strong focus on Social Engineering, currently living in Europe.
I have a background as a System Engineer and DevOps where I discovered my passion for the Offensive Security field. My strong interest in Psychology and the Con artists' world, led me to shape my professional profile around any kind of form of Social Engineering and anything related to the Human Factor in the security field.
I have experience in Red/Blue Teaming operations in the U.S.A. and Italy, including physical and social engineering penetration tests. OSINT investigations, physical penetration tests, network / web-app penetration tests, security awareness training, security policy advisory, and so on are just a few of the activities that I use to conduct with my colleagues and the collaboration of a trusted team of security experts.
- Blog2022.05.02Lupo - Malware IOC Extractor and Debugging module for Malware Analysis Automation
- Blog2022.05.02DDexec - a technique to run binaries filelessly and stealthily on Linux using dd to replace the shell with another process
- Blog2022.04.28ADReaper - A fast enumeration tool for Windows Active Directory Pentesting written in Go
- Blog2022.04.27Shhhloader - SysWhispers Shellcode Loader