Serious Techy Business Thread

Funnily enough I've got the head of our dev team wanting to discuss the issues from last month's pen tests that they are trying to wriggle out from. My answers will be "do I look like InfoSec? Ask them...". I'm done with sorting out every other bugger's work for them. 

I am InfoSec and I wish I could be done with sorting out every other bugger's work for them.

I understand that people are busy but they wrote the code with the big fucking holes in it. They need to fix it.

I am this far (gestures) away from escalating it up to the superiors, tbh.

Blimey. That definitely seems like their job and not yours!

Ours know what to do (which is a good job, because I knew little about coding and was never a dev!), they're just "too busy" to do the work. For about 2 years now.

Which has led to things like this:



The implications of this are potentially staggering (Oh Hi GDPR breach!) but they're still "too busy". It's time for the big boots, I think.

"It's complicated (TM)."

Wouldn’t it be a Three Letter Initialism? Not sure how effective a Three Letter Mnemonic would be.

www.ncsc.gov.uk/news/apache-log4j-vulnerability

logging.apache.org/log4j/2.x/security.html

In case you're wondering.

If you have any Apache applications, they'll need checking. You should also monitor 3rd party applications which use Apache. Eg, Cisco, VMWare etc etc.

I was in a meeting until 10pm on friday and im just finishing a 3hr meeting about it as we speak. Our attack surface is hilariously big.

I mean, it affects fucking minecraft, so I was updating the java version installed on the girls laptop on saturday.

The problem is, its an API that will never be explicitly called out in a design so we dont know how vulnerable we are until a site wide qualys scan finished on tuesday.

Like if you use splunk to mangle your data, it uses log4j but that isnt called out in any documentation. Repeat x1000.

the quick win to stop a few arseholes twitching is to check with networks. We definitely don't allow LDAP to transit outbound, so a lot of the mischief these little scamps can cause is mitigated just by that. We have a few controls that should stop a lot of monkey business but it's still not ideal not knowing how badly you're exposed, though.

Wow, I am not enjoying this. Fucking hell.

Yeah, we have ingested those. We have also seen probing for this from the 5th but was nixed by the firewalls, thankfully. On the same note, we have hit everything with qualys but for assurance we have had to scan 15k servers for this hash list

github.com/mubix/CVE-2021-44228-Log4Shell-Hashes/blob/main/md5sum.txt

Which might be worth doing.

Also, 15k servers? Fuck me. Sorry, fella.

I'm at 300 checked with a couple of hundred to go. Don't even know I'm born.

11:10
"Log4j exploit. I.T have asked me to contact you to find out if our version if xxx is vulnerable and if it is what mitgations are being put in place. Thanks"

The answer is literally written twice in big letters on every page of the website they use to raise tickets.

You guys seem like you work for bigger companies. What's the best way to impart timely information like this? This fucking middle manager thing where raising a ticket or sending an email or waiting in a queue on the phone is their go-to solution rather than spending 5 seconds looking around the screen they're already on. It's completely baffling to me, how do these people get anything done

I'm just a mouthpiece on this one but we provide off-the-shelf software that simply doesn't use Apache or Java in any way and certainly doesn't use the log4j library. The advantage of being in a smaller company I guess means it's easy to keep track of what we use.

If you think we're missing something obvious let me know and I'll take credit for it