Podcast: Log4j Vulnerability... Fake news?

 

This is When Bits Hit the Fan where we keep an eye on tech news so you don't have to and when bits hits the fan we bring it right to you. Each time a major tech news story breaks, I, Taylor Uden, and James Schuler translate the facts and show you how it impacts your business. So, if you feel like you're inundated with tech stories, let us guide you through when bits hit the fan.

 

Yep!

 

James (00:35)

 

 

 

 

 

We don't know if the background noise will allow for this episode to even be used. We thought it'd be fun to have the mic hot the entire day so you can see the company deteriorate and implode amongst itself as we consume more and more alcohol. 

 

Speaking of consuming alcohol, I've got most of the office here already. Taylor, of course, is with me. Taylor?

 

We actually wanted to bring the topic of everything we heard in the news about apache and Log4j to the masses the millions of you now listening who've made us a top 100 tech podcast. [It's] unbelievable, the demand to hear our short stories of what's in the news. [This] brings us back to our title, our names, and everything else we haven't done yet in our normal intro. I'm James Schuler and this is When Bits Hit the Fan.

 

 

 

Well...

 

That might be the biggest reason that everyone's freaking out about it - is your imagination can run wild with just about any new story that's out there. So, if you go to the internet you've likely experienced products that use Log4j. If you've read the internet recently, you've likely heard the debate "Is it called Log4j or is it called Logforge?". [It] seems like it should be called Logforge. Logging and forgings seem to go together well. But no. It is indeed Log4j. So, if you talk about it at home, bring it up to your spouse. Call it Log4j so you don't sound too dumb.

The next thing on- on my mind on this topic is if you've been to the internet and cemented some planted — cement? What's that word? Submitted! Submitted information on the internet with the intent to get back files or a webpage, it's likely apache software in the backend. Log4j, the logging software that's providing that data back to you. If it's taken over correctly by cyber-terrorist or bad actors then there's [an] even better chance that you're gonna wind up having someone take over your systems or read your information. So if you build your own software leveraging apache and not IIS or leveraging apache with logging software on it then there's a swell chance that you are indeed in danger of this but you're probably not currently at risk of something negative. Just patch it. Just need to patch it. [Do] you know what the patch is called? Log4j2.

Log4j 2 came out about a month ago. So, let's just pretend for a minute that we are hourly workers. If I were an hourly worker, I'd put my time clock in when I got in every day. When I left, my lunch break would be listed there. That's likely hosted by a company called Kronos. Have you heard of Kronos? [Has] anybody heard of Kronos before? We got a new guy at the table, he's being quiet, he's not raising his hand. Recently out of college, has not yet had to deal with Kronos. But, most of you veterans who are listening today, y'all know Kronos. Kronos is currently so impacted by it, they pulled their systems from the wall. They're down so they're telling people to prepare for our- for paper paychecks for all the people they support because they can't do it.

Think about if you use VMware. If you've got a firewall that's got a portal to it, that you get into or an internet system, odds are they use Apache, and Log4j's probably part of it. So if that was down, what would happen to your business? That's the big fear. It isn't the direct issue of having to patch apache in your environment, it's what happens when the systems that you rely on day in day out go down because of a product you've never heard of. Taylor, you wanna hear a funny joke?

 

Yeah.

 

What if you hadn't started recording at all. You should make me look like a loud talker at a bar.

 

No!

 

Is it recording?

 

Yeah! We're going!

 

We're going?

 

Yeah!

 

Oh, that's good!

 

I have questions, so whenever your rant is done...

 

Interrupt me, I didn't know anyone was listening.

 

I have a question for Andy actually. Andy! I'm just curious, from a customer perspective are they asking, are they wondering about this? Like, what's going on — are people worried, or is it just like false news that everyone's blowing up for no reason?

 

Well, everyone's worried because they don't know if they're vulnerable to it. They actually don't have visibility or even know whether they use apache or what Log4j is even associated with so it's just a big question mark that everyone seems to have. So it takes some investigation into their environment, and a close deep-dive look to scan and see if they've actually got this in their (in their environment) or if one of their service providers is using it. So they're having to ask all their vendors.

 

Yeah, is that something we do? Are we (are we able to dig into) if someone's a customer with us, are we able to understand that?

 

So we can either look through the classic telemetry data and just watch for malicious activity to come in but on the other end-

 

Andy, I can't think of the word "submitted" and you said "telemetry"? Continue!

 

 

That's a good question, Taylor. It makes me think the same thing for uh some of our project guys. I know like Ariel's talking to a lot of our clients too. I don't know that Ariel is getting the direct feedback. Let me ask him the same question.

 

Yeah!

 

Ariel, are you are you hearing from any clients? If they're concerned about Log4j?

 

Yes, we actually talked to somebody this morning that was having uh having some concerns one of their customers needed to be assured that they did not have so we were able to get that information to them today. Yeah!

 

That's actually a really good point too with- with the uh the misunderstandings about log4j today and who's actually directly impacted by it I've heard private equity companies too are going to their port codes and they're saying tell me now what's what applications do you have with Log4j on it.

 

Well it was funny, Taylor- we just had an interview with Anthony our CISO right? He was saying that a vendor risk assessment is (is important) and I think a lot of people believe it's important but they pass on that they don't get it done because there's more priorities to do. Well now, it's more important than ever. Now, you got to figure not just "what applications am I using that make my business money?" but which ones keep me up and running. Yeah, our CRM tool is backed by or powered by AWS. We learned- we learned when AWS had an outage, it turns out we are more relying on AWS than we knew.

 

More often than not, you find these things out after the fact and not before the fact.

 

James (09:18)

Yeah, I hate finding things out that way. It's the worst way to find things out. I like to find out in advance. I know our customers are the same right? They want to? They don't want any surprises.

 

So we got more people around here. Who knows what the background (background sounds are like but I'm) I am curious about more people though. Can we ask more people this question?

 

Yeah, go ahead why don't we get some some different faces here. Two people from our knock...

 

Mitch, anybody talking about Log4j with you? Anybody scared about it?

 

Oh, it's it's horrible. It's the- it's the pandemic of our times.

 

...What? Wha- *laughs* Yeah, so I wanna know a little more about that. I think you're probably saying that a bit tongue-in-cheek but, are you getting a lot of calls about it for sure?

 

No, I haven't heard much on our end yet but I saw the emails and stuff from our ticket system providers letting us know that they are taking care of vulnerabilities.

 

Well said, well said. They're taking care of vulnerabilities. That might be a bumper sticker before this year is over. There's a theory that we're not going to know the impact of what happened with Log4j for three to five years we may not. A lot of service providers including Centre, let their customers know that it exists, and then secondly we're doing something about it so why don't we talk about just real quick what we're doing about it you may not know this, Mitch. Yeah, so this is kind of cool. Of the four things that matter - a clean copy of data, proactive threat hunter, visibility security gaps, and response plan - the third one, visibility and security gaps, is done by a recurring vulnerability scan program and if that vulnerability scan was occurring, then you would be able to see that this patch was available for Log4j for your Apache software.

Now, let's just say something did get past that just being a vulnerability. You're actually breached by it. Well, good news. If you have a proactive threat hunter it would have found that without a human element to it. Worst case if that failed then you could leverage your clean copy of data to get up and running.

Ariel, you just tapped me on the shoulder with some great knowledge. What did you just say?