The Lighthouse IT Podcast - December 17th, 2021
This week, Matt & Griff discuss the widespread log4j vulnerability, Life360 privacy issues on how and why they are selling user data, Mercedes fully self-driving car, Peloton counter-marketing, and more!
- CVE-2021-44228, a critical vulnerability that's affecting a Java logging package log4j which is used in a significant amount of software, including Apache, Apple iCloud, Steam, Amazon, Cloudflare, Twitter, Minecraft and others.
- Because of its large attack surface and the innate severity of remote code execution, security researchers are notably calling this a "shellshock" vulnerability. All threat actors need to trigger an attack is one line of text. There's no obvious target for this vulnerability — hackers are taking a spray-and-pray approach to wreak havoc.
- If your organization uses the log4j library, you should upgrade to log4j-2.15.0.rc2 immediately. Be sure that your Java instance is up-to-date; however, it's worth noting that this isn't an across-the-board solution. You may need to wait until your vendors push security updates out for their affected products.
SolarWinds hackers - looking back, to ensure we are looking forward
- Almost exactly a year ago, security researchers uncovered one of the worst data breaches in modern history. It compromised the servers of network management provider SolarWinds and, from there, the networks of 100 of its highest-profile customers, including nine US federal agencies.
- Nobelium — the name Microsoft gave to the intruders — was eventually expelled, but the group never gave up and arguably has only become more brazen and adept at hacking large numbers of targets in a single stroke. The latest reminder of the group's proficiency comes from security firm Mandiant, which on Monday published research detailing Nobelium's numerous feats — and a few mistakes — as it continued to breach the networks of some of its highest-value targets.
- Almost instantly, the hackers could intrude into the networks of all of those entities.
- But on top of this tactic above, this is now what we know they also used:
- Harvesting system and web browser credentials and cryptocurrency wallets
- Compromising enterprise spam filters & other software with "application impersonation privileges"
- The abuse of legitimate residential proxy services or geo-located cloud providers such as Azure to connect to end targets. When admins of the hacked companies reviewed access logs, they saw connections coming from local ISPs with good reputations or cloud providers that were in the same geography as the companies.
- Extracting virtual machines to determine internal routing configurations
- Gaining access to an active directory stored in a target's Azure account and using this all-powerful administration tool to steal cryptographic keys that would generate tokens that could bypass two-factor authentication protections.
- Use of a custom downloader dubbed Ceeloader.
Family Safety App Life360 Is Selling Precise Location Data on Its 33 Million Users
- Marketed as a great way for parents to track their children's movements using their cellphones
- The app is selling data on kids' and families' whereabouts to approximately a dozen data brokers who have sold data to virtually anyone who wants to buy it.
- The raw location data the company received from Life360 was among X-Mode's most valuable offerings due to the sheer volume and precision of the data.
- Life360 founder and CEO Chris Hulls said in an emailed response to questions from The Markup. "We see data as an important part of our business model that allows us to keep the core Life360 services free for the majority of our users, including features that have improved driver safety and saved numerous lives."
Mercedes-Benz gets world's first approval for automated driving system
- Mercedes-Benz became the world's first automaker to gain regulatory approval for a so-called "level 3" self-driving system
- It's called Drive Pilot, and it debuts next year in the new S-Class and EQS sedans, allowing the cars to drive themselves at up to 37 mph (60 km/h) in heavy traffic on geofenced stretches of highway.
- "level 2" systems mean that although the car can accelerate, brake, and steer for itself, a human driver is still required to maintain situational awareness.
- The new system is true automated driving as opposed to driver assistance. It uses a combination of radar, cameras, lidar, microphones (to detect emergency vehicles), and a moisture sensor, plus the car's high-accuracy GNSS, which locates the car on an HD map.
- When engaged, Drive Pilot takes over managing situational awareness
- Drivers really can turn their minds — and their eyes — to something else
Peloton and the City
Peloton thought it could spend December relaxing in front of the TV after a rocky third quarter of slowing sales, but then the Sex and the City reboot on HBO Max decided to use its product as a murder weapon. A day after the unfortunate product placement in Thursday night's episode, Peloton's stock fell 5.4%, adding to its recent slump.
In the first episode of And Just Like That… Mr. Big dies from a heart attack after completing his 1,000th Peloton ride. We won't get into Carrie's...less than helpful response, but the fitness company released a statement reminding viewers that it was more likely that Mr. Big's extravagant lifestyle, not the workout class, killed John. (Yeah, we finally find out his real name!)
- The company also told BuzzFeed it wasn't aware of the plotline, just that Jess King — a real instructor at the company — would be playing a fictional Peleton instructor in the show.
Big (sorry) picture: No company has ever lost out on sales because it killed a fictional hottie, but as analysts at BMO Capital Markets wrote, it calls into question "whether PTON is losing degrees of control over its storytelling." Peloton's stock has plunged 73% this year as investors wonder whether living room lunges were just a pandemic fad. — MM