Think Log4j is a wrap? Think again

Three years after its discovery, Log4Shell remains one of the software flaws that are most used by threat actors, a new report released by Cato Networks has found. https://jpmellojr.blogspot.com/2024/08/think-log4j-is-wrap-think-again.html

6 de cada 10 empresas afectadas ¿Cómo evitar ciberataques como el Log4j?

Log4j es una de las bibliotecas de registro más populares que se utilizan en Internet, según los expertos en ciberseguridad. El pasado 9 de diciembre, se produjo una vulnerabilidad que ha afectado a casi la mitad de las compañías a nivel mundial. Imagen vía Depositphotos Los atacantes son capaces de explotar las apps vulnerables para ejecutar criptojackers y otro malware en los servidores…

View On WordPress

https://bit.ly/45gJemi - 🏛️ The House Committee on Homeland Security has advanced five bipartisan bills aiming to enhance the nation's cybersecurity, combat the use of drones from adversaries like China, streamline DHS' approach to countering weapons of mass destruction, and support first responders. This move signals the committee's robust and bipartisan efforts to address key challenges within homeland security. #CyberSecurity #HomelandSecurity 📊 A highlight of this progression is Chairman Green's 'Securing Open Source Software Act of 2023'. The bill was introduced in response to security issues raised during the Log4j vulnerability disclosure and will address similar risks associated with other open-source software components. #SecuringOpenSource #Log4j 🌐 Chairman Green emphasized the importance of these efforts in mitigating the risk of sensitive data falling into the hands of adversarial nations, ensuring a coordinated response to threats, and managing risks associated with the use of open-source software - a crucial component of our digital ecosystem. #DataProtection #DigitalSecurity 📜 The bills passed by the Committee include: 1️⃣ H.R. 3286, 'The Securing Open Source Software Act of 2023', by Chairman Mark E. Green (R-TN) #OpenSourceAct 2️⃣ H.R. 1501, 'The Unmanned Aerial Security Act', by Rep. Michael Guest (R-MS) #UnmannedAerialAct 3️⃣ H.R. 3224, 'The Countering Weapons of Mass Destruction Extension Act of 2023', by Rep. Anthony D’Esposito (R-NY) #WMDAct 4️⃣ H.R. 3208, 'The DHS Cybersecurity On-the-Job Training Program Act', by Rep. Sheila Jackson Lee (D-TX) #CyberTrainingAct 5️⃣ H.R. 3254, 'The First Responder Access to Innovative Technologies Act', by Rep. Donald Payne (D-NJ) #FirstResponderAct These advancements affirm the Committee's commitment to strategically addressing pressing issues facing homeland security.

I think the verdict is now very clear about when the Minecraft Silver Age ended.

linux is not. magically free of the Dependencies curse, tho.

like I respect the moxie & mod-ability of an open OS as much as the next bigtech girlie but it very much is still Computer

it's honestly nuts to me that critical infrastructure literally everywhere went down because everyone is dependent on windows and instead of questioning whether we should be letting one single company handle literally the vast majority of global technological infrastructure, we're pointing and laughing at a subcontracted company for pushing a bad update and potentially ruining themselves

like yall linux has been here for decades. it's stable. the bank I used to work for is having zero outage on their critical systems because they had the foresight to migrate away from windows-only infrastructure years ago whereas some other institutions literally cannot process debit card transactions right now.

global windows dependence is a massive risk and this WILL happen again if something isn't done to address it. one company should not be able to brick our global infrastructure.

Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild

Source: https://blog.talosintelligence.com/apache-log4j-rce-vulnerability/

2b2t players will post videos about "Minecraft's most DANGEROUS bug" and it's actually just a really niche glitch that lets you find someone's base and the only reason its dangerous is because 2b2t players are mentally ill

good for them but log4j existed there are more dangerous bugs i think

Gesundheitsdaten nur bedingt sicher

KIM = Kaos in der Medizin

Eigentlich sollte KIM ein sicherer E-Mail Service für die Medizin, also die Kommunikation zwischen Krankenkassen und Ärzten sein. Etwas ähnliches gibt es auch seit Jahren im Bereich der Justiz für Gerichte und Anwälte. Insofern handelt es sich nicht um die grandiosiste Innovation. 

Trotzem ging es schief. Wie auf dem 37. CCC Kongress in Hamburg von dem Münsteraner Sicherheitsforscher Christoph Saatjohann vom Fraunhofer-Institut für Sichere Informationstechnologie (SIT) in Münster und Sebastian Schinzel berichtet wurde, haben insgesamt acht Krankenkassen durch die Gematik den gleichen S/MIME-Key erhalten. Sichere E-Mail beruht auf dem seit den 80-iger Jahren von Phil Zimmermann entwickelten Public-Private-Key Verfahren. In öffentlichen Einrichtungen geschieht das nach dem Standard X.509, während im privaten Umfeld Jede/r seine Schlüsselpaare selbst generieren kann.

Wenn jedoch die Zertifizierungsstellen (CAs) für verschiedene Akteure die gleichen Schlüssel verteilen, dann war es das mit der Sicherheit sensibler medizinischer Daten. Das ist der GAU in der PKI - der Public Key Infrastructure.

Laut den Sicherheitsforschern hatten, wie Heise.de schreibt, einmal drei Krankenkassen denselben im September 2021 ausgestellten Schlüssel, bei einem zweiten Schlüssel fünf. 28% der Bürgerinnen und Bürger seien über diese acht Krankenkassen versichert gewesen. Dieser Vorfall war nicht der erste mit KIM. 2022 wurde eine Log4J-Schwachstelle im KIM-Clientmodul von T-Systems gefunden.

Künftig werden die Schlüssel nun monatlich auf Dopplungen geprüft.

Mehr dazu bei https://www.heise.de/news/37C3-Schluessel-fuer-E-Mail-Dienst-KIM-fuer-das-Medizinwesen-mehrfach-vergeben-9583275.html

Kategorie[21]: Unsere Themen in der Presse Short-Link dieser Seite: a-fsa.de/d/3y7 Link zu dieser Seite: https://www.aktion-freiheitstattangst.org/de/articles/8633-20231229-gesundheitsdaten-nur-bedingt-sicher.html

botnets like mirai are pretty prolific, people just don't notice because nobody cares about securing routers and IoT

the modern internet needs a new mega virus. weve gone too long without having a named virus that takes out a major % of computers

I just manually updated a component inside a minecraft modpack so that it no longer had the log4j vulnerability and could be run safely.

And I have to say, that was ridiculous, I could never have done that a few years ago.

Granted, part of the complexity is that I run my servers via a user that has no password, no sudo access, and no real access to the system except the servers and their related files, as I should.

But blech.

Cloudflare report: Log4j remains top target for attacks in 2023

Log4j remained a top attack vector for threat actors in 2023, while a new vulnerability, HTTP/2 Rapid Reset is emerging as a significant threat to organizations, according to Cloudflare’s annual “Year in Review” report. https://jpmellojr.blogspot.com/2023/12/cloudflare-report-log4j-remains-top.html

Top 10 Java Libraries and Frameworks Every Developer Should Know

Top 10 Java Libraries and Frameworks Every Developer Should Know 

 1. Spring Framework 

Comprehensive ecosystem for enterprise Java development — Dependency injection — MVC architecture — Microservices support 

 2. Hibernate 

Object-relational mapping (ORM) library — Simplifies database interactions — Supports multiple databases — Reduces boilerplate database code 

 3. Apache Maven 

 Project management and build automation tool — Dependency management — Standardized project structure — Easy integration with CI/CD pipelines 

 4. JUnit

 — 

Unit testing framework — Supports test-driven development — Annotations for test configuration — Wide IDE integration

5. Apache Spark — Big data processing framework — Distributed computing — Machine learning capabilities — Real-time data streaming 

 6. Mockito — Mocking framework for unit tests — Allows creation of test doubles — Verifies method interactions — Simplifies complex testing scenarios 

 7. Lombok — Reduces boilerplate code — Automatic getter/setter generation — @Data, @Builder annotations — Improves code readability 

 8. Jackson — JSON processing library — Object serialization/deserialization — High-performance JSON parsing — Supports complex object mappings 

9. Log4j — Logging framework — Configurable logging levels — Performance optimization — Multiple output destinations 

10. Guava — Google’s core libraries — Utility classes — Functional programming support — Improved collections and caching

WEBSITE: https://www.ficusoft.in/core-java-training-in-chennai/

on the one hand it's kinda annoying that our digital and physical lives are coated with ads set on making us feel incomplete, for companies that then have unchecked censorship rights on their surrounding content, and political campaigns are won by the most advertised candidate, and the surveillance state created by the amount of our data being sold is used for voter suppression and stalkers, and it's burning down the planet with direct online advertising alone producing the equivalent of up to 159 metric tons of carbon dioxide emissions a year,

but hey, the internet couldn't possibly ever be run by volunteers.

except it is. right now.

XZ Utils and OpenSSL and Log4j and many projects like them are volunteer-led--OpenSSL in particular is almost entirely managed by two men named Steve. the projects have some funding sometimes but the people who fix stuff when it breaks usually aren't paid and all have other full-time jobs. we know this because it's happened, i only heard about these specific services because they've all recently had vulnerabilities that had to wait for volunteers to get off work or for one of the Steves to pause his vacation. and some big companies were relying on them.

big companies like linux and facebook and google and microsoft and amazon web services and twitter and cloudflare and apple and intuit and paypal and tumblr. y'know, basically the internet. so much of their infrastructure is volunteer code right now. if they don't need all that ad money and user data we're netting them, what are we actually getting in return?

what if we just turned the ads off? what if we just turned the ads off? what if we just turned the ads off?

what if the next time google wants to collect data to sell for drone strikes they have to fill out a grant proposal and put the notion on a ballot?

love when ppl defend the aggressive monetization of the internet with "what, do you just expect it to be free and them not make a profit???" like. yeah that would be really nice actually i would love that:)! thanks for asking

Summary

🌐 Introduction to Internet Background Exploitation:

Andrew Morris explains the growing challenges of internet-wide vulnerability exploitation and the concept of "internet background noise," which includes mass scanning and exploitation attempts.

🔍 Key Trends and Challenges:

Mass Exploitation:

Attackers focus on vulnerabilities first, scanning the entire internet for potential targets, rather than targeting specific organizations.

Tools like ZMap and Masscan have made internet scanning faster and more efficient, enabling attackers to find vulnerable systems within minutes.

Proliferation of Noise:

Background noise on the internet arises from both legitimate and malicious activities, complicating the identification of threats.

🔧 Strategies and Tools:

GreyNoise:

Deploys a distributed sensor network to detect and analyze mass exploitation attempts.

Creates signatures for exploitation patterns and provides temporary blocklists to protect vulnerable systems.

Case Studies:

Examples like Log4j and other vulnerabilities show how quickly attackers exploit disclosed vulnerabilities, often within hours.

🎯 Future Outlook:

Emphasis on proactive defense strategies like whack-a-mole-style blocking of malicious IPs.

The importance of global collaboration and data sharing to mitigate internet-wide threats effectively.

Un día como hoy (9 de diciembre) en la computación

El 9 de diciembre de 2021, se anuncia la vulnerabilidad de seguridad log4j, conocida como Log4Shell, es una vulnerabilidad crítica detectada en la biblioteca de registro de Apache Log4j, detectada por primera vez en noviembre 24.

Esta, otorga a los hackers acceso y control total de los dispositivos que ejecutan versiones de Apache sin el parche de seguridad.

En esta fecha, los investigadores de seguridad de Alibaba encuentran evidencia de que Log4Shell se encontraba publicando un código de explotación en GitHub.

Afectó en forma drástica a los servidores de Minecraft, Cloudflare, Microsoft y Amazon.

#retrocomputingmx #Log4Shell #vulnerability

between this and log4j is there anything minecraft kids can't do

mine craft seems like a good thing for youngsters actually. it’s creative and non violent and social to a degree. do they do a good job making sure it is safe