WEBVTT - The Dangers of the Internet of Things 0:00:04.400 --> 0:00:07.800 Welcome to tech Stuff, a production from I Heart Radio. 0:00:11.920 --> 0:00:14.560 Hey there, and welcome to tech Stuff. I'm your host, 0:00:14.720 --> 0:00:17.680 Jonathan Strickland. I'm an executive producer with iHeart Radio. And 0:00:17.720 --> 0:00:21.520 how the tech are you all right? Way back in 0:00:21.800 --> 0:00:26.560 nine a guy named Leonard klein Rock wrote a paper 0:00:26.920 --> 0:00:32.479 titled information Flow in Large Communication Nets, and a lot 0:00:32.520 --> 0:00:36.159 of folks point to this paper as laying out the 0:00:36.200 --> 0:00:41.879 basics for what would become networked computer communications, which in 0:00:42.000 --> 0:00:47.080 turn would evolve into the ARPA net Project, where the 0:00:47.800 --> 0:00:54.000 basic rules for computer to computer communication were established. And 0:00:54.040 --> 0:00:57.160 then you had things like radio based networks, you had 0:00:57.240 --> 0:01:01.240 satellite based networks. You had these all kind of coming together. 0:01:02.000 --> 0:01:06.480 And from that we then get an evolution into the Internet, 0:01:06.560 --> 0:01:10.680 which is the network of networks, and that really got 0:01:10.680 --> 0:01:15.839 its start around as different networks could finally communicate with 0:01:16.080 --> 0:01:20.800 one another, not just within themselves, and it was because 0:01:20.880 --> 0:01:25.160 of the establishment of common protocols. Now, many of us 0:01:25.880 --> 0:01:29.279 out in the real world, away from all these different 0:01:29.319 --> 0:01:32.520 research centers and government facilities and things like that, a 0:01:32.600 --> 0:01:36.399 lot of us remain blissfully ignorant of the Internet until 0:01:36.520 --> 0:01:39.480 you got up to the early nineties and the launch 0:01:39.480 --> 0:01:42.320 of the World wide web. The Web was an easier 0:01:42.400 --> 0:01:46.440 concept for most people to grasp than the larger idea 0:01:46.640 --> 0:01:49.520 of the Internet, because you could look at the Web 0:01:49.520 --> 0:01:51.600 and you could say, oh, it's like a magazine, but 0:01:51.680 --> 0:01:54.680 it's on your computer. It also wasn't that different from 0:01:54.880 --> 0:01:59.040 online service providers like a O L where you weren't 0:01:59.080 --> 0:02:02.200 connected to an internet at large, but you were connecting 0:02:02.240 --> 0:02:07.279 into a single network. And for a lot of people, 0:02:07.600 --> 0:02:10.560 the Web and the Internet were synonymous, right it was 0:02:10.600 --> 0:02:15.079 the Web was the Internet. Over time, I would say 0:02:15.120 --> 0:02:18.560 the general public came to understand what the Internet was, 0:02:18.600 --> 0:02:21.399 at least sort of. I mean, there's still people who 0:02:21.440 --> 0:02:24.160 do refer to the Web as the Internet, and the 0:02:24.160 --> 0:02:26.360 Internet is the Web and that's all there is to it. 0:02:26.440 --> 0:02:28.800 That's not the case. The Web sits on top of 0:02:28.800 --> 0:02:31.760 the Internet, but the Internet is more than just the Web. 0:02:32.320 --> 0:02:35.040 But then let's get up to the late nineties. That's 0:02:35.040 --> 0:02:37.240 when there was this guy working at Procter and Gamble 0:02:37.840 --> 0:02:41.160 who had an idea, and he proposed using r F 0:02:41.240 --> 0:02:46.960 I D chips on components and products for the purposes 0:02:47.000 --> 0:02:50.960 of tracking stuff as that stuff moves through supply chain. 0:02:51.040 --> 0:02:53.639 So an example of this might be for a microchip 0:02:53.720 --> 0:02:57.720 that's going to go into a larger product. Maybe the 0:02:57.840 --> 0:03:00.799 box that holds the little micro chip has an r 0:03:00.960 --> 0:03:03.000 f I D chip on it so that you can 0:03:03.000 --> 0:03:05.640 easily scan it as it goes from one point in 0:03:05.680 --> 0:03:07.600 the supply chain to the next. That way, you can 0:03:07.680 --> 0:03:12.079 keep track of where everything is throughout the entire system. 0:03:12.760 --> 0:03:16.280 And UH, that was a neat idea, right. It's a 0:03:16.320 --> 0:03:19.760 great way to try and keep an eye and monitor 0:03:19.880 --> 0:03:23.320 a supply chain. Give a logistics manager the capability to 0:03:24.080 --> 0:03:26.639 know what's going on at any given minute and respond 0:03:26.720 --> 0:03:30.080 to it, perhaps make changes if there is a delay 0:03:30.120 --> 0:03:33.560 at one point in the supply chain. Great idea. But 0:03:33.760 --> 0:03:37.960 you know this guy wanted to be able to convince 0:03:38.120 --> 0:03:42.880 his superiors to uh, to buy into this idea. So 0:03:42.920 --> 0:03:47.320 the guy's name is Kevin Ashton, and Kevin Ashton thought 0:03:47.400 --> 0:03:51.520 he needs kind of a sexy phrase to get his 0:03:51.640 --> 0:03:55.080 idea sold to these these higher ups, to get them 0:03:55.120 --> 0:03:58.880 to buy into his vision. So he called the approach 0:03:59.440 --> 0:04:03.880 the inter net of Things. Now, Ashton was allegedly just 0:04:03.920 --> 0:04:06.120 trying to get higher ups to support his idea for 0:04:06.240 --> 0:04:09.040 including r F I D tags and those tags wouldn't 0:04:09.040 --> 0:04:12.440 magically send information on their own to a network, you'd 0:04:12.480 --> 0:04:14.960 have to scan them and everything. But it wouldn't take 0:04:15.000 --> 0:04:17.960 long for this basic concept to evolve. And in fact, 0:04:18.000 --> 0:04:24.200 there were previous cases where people had connected sensors to 0:04:24.320 --> 0:04:28.400 certain devices and then connected those to a network so 0:04:28.480 --> 0:04:33.800 that they could monitor a device remotely. There was ones 0:04:33.839 --> 0:04:36.680 where people did that with vending machines, for example, so 0:04:36.720 --> 0:04:39.479 that they would know when the vending machine was running 0:04:39.520 --> 0:04:43.120 low on specific stuff that's that's, or in some cases, 0:04:44.279 --> 0:04:47.240 so that the person who had installed it would know, Oh, 0:04:47.279 --> 0:04:49.560 I'm not gonna bother walking down there. They're out of 0:04:49.640 --> 0:04:52.159 dr pepper. So I'm not even gonna bother leaving my 0:04:52.240 --> 0:04:54.120 desk because I know there's no dr pepper in the 0:04:54.160 --> 0:04:57.720 vending machine downstairs. But it didn't take long for this 0:04:57.800 --> 0:05:04.200 basic concept to evolve of into something more uh ambitious. 0:05:04.839 --> 0:05:07.400 And I think it's fascinating that the phrase internet of 0:05:07.440 --> 0:05:11.960 things actually predates the consumer smartphone era by nearly a decade, 0:05:12.000 --> 0:05:15.560 because I think for most people, myself included that that 0:05:15.720 --> 0:05:20.880 their awareness of the Internet of things came after smartphones 0:05:21.120 --> 0:05:24.520 first started to really become popular among the general population. 0:05:24.839 --> 0:05:28.080 I point to the iPhone launch in two thousand seven 0:05:28.560 --> 0:05:31.880 as the beginning of the smartphone era. Obviously, there were 0:05:31.920 --> 0:05:35.599 smartphones before the iPhone. Apple did not invent the smartphone, 0:05:36.279 --> 0:05:39.160 but smartphones were kind of a niche product that we're 0:05:39.200 --> 0:05:43.120 mostly just used by business leaders, executives, that kind of thing, 0:05:43.279 --> 0:05:45.839 and not so much the average person. But Apple changed 0:05:45.839 --> 0:05:50.200 all that, and then subsequently once we were all adjusting 0:05:50.240 --> 0:05:53.160 to the idea of being able to access stuff online 0:05:53.240 --> 0:05:56.320 through our phones in a way that was actually, you know, 0:05:57.160 --> 0:06:00.640 fun to do and useful. Because if you ever had 0:06:00.720 --> 0:06:04.200 a basic cell phone before the smartphone era, you know 0:06:04.320 --> 0:06:07.640 that if you did have any web enabled services on there, 0:06:08.240 --> 0:06:12.680 it was not good. Like it just didn't it didn't 0:06:12.720 --> 0:06:15.679 work well, it wasn't easy to navigate in. The iPhone 0:06:15.760 --> 0:06:19.680 changed all that. Well for me at least, my awareness 0:06:19.680 --> 0:06:23.440 of smartphones came first, and then I later became aware 0:06:23.480 --> 0:06:25.760 of this idea of Internet of things. But of course 0:06:26.160 --> 0:06:28.680 the Internet of things concept had been going pretty strong 0:06:28.720 --> 0:06:33.960 already for almost a decade. Anyway, as time would go on, 0:06:34.400 --> 0:06:38.520 we would see more folks experiment with Internet connectivity and 0:06:38.600 --> 0:06:43.640 everything from components like simple sensors or actuators which could 0:06:43.640 --> 0:06:47.880 go into larger systems. So you make a tiny part 0:06:48.400 --> 0:06:51.800 that is meant to go into something else. You make 0:06:51.839 --> 0:06:55.120 that one part capable of connecting to a network, and 0:06:55.160 --> 0:06:58.039 then maybe the rest of it also can, or maybe 0:06:58.040 --> 0:07:02.560 it can all the way up to more complicated integrations 0:07:02.640 --> 0:07:06.279 where the entire system is meant to be Internet capable, 0:07:06.320 --> 0:07:09.760 stuff like smart TVs. Right these days, you can outfit 0:07:09.800 --> 0:07:12.600 your home numerous smart devices that all connect to a 0:07:12.640 --> 0:07:17.240 home network or the Internet at large. And then there's 0:07:17.280 --> 0:07:20.560 also a growing use of Internet connected devices out in 0:07:20.720 --> 0:07:24.840 the world just outside of your home. Everything from cars 0:07:25.200 --> 0:07:29.560 to city infrastructure, security cameras, all sorts of stuff are 0:07:29.600 --> 0:07:33.880 all connected into the Internet, creating this massive Internet of things. Now. 0:07:33.920 --> 0:07:37.360 Throughout all that time, there have been security experts who 0:07:37.360 --> 0:07:42.520 have cautioned companies and consumers about the Internet of things, 0:07:42.920 --> 0:07:45.320 because the Internet of Things does come with it a 0:07:45.360 --> 0:07:49.200 lot of benefits. You can see a lot of really 0:07:49.480 --> 0:07:52.880 compelling use cases for the Internet of things, whether it's 0:07:52.920 --> 0:07:54.800 just keeping an eye on things to make sure that 0:07:54.840 --> 0:08:01.760 everything is working properly, to creating more convenient and lightful experiences. 0:08:01.760 --> 0:08:05.880 But any network connected device can potentially serve as an 0:08:06.000 --> 0:08:12.520 entry point for bad actors, for for malicious hackers, so 0:08:12.640 --> 0:08:18.800 devices can be compromised, and that might allow a hacker 0:08:18.840 --> 0:08:23.400 to get a foothold into say, your your home network 0:08:24.080 --> 0:08:29.520 and search for ways to get greater access so that 0:08:29.560 --> 0:08:33.440 they can do all sorts of stuff from stealing information 0:08:34.080 --> 0:08:38.640 to turning your network or devices on your network into 0:08:38.800 --> 0:08:41.800 agents that they use and things like a bot net, 0:08:42.679 --> 0:08:45.400 or they may use it to do stuff like mine 0:08:45.480 --> 0:08:49.680 for cryptocurrency. It's nothing like having you know, your your 0:08:49.760 --> 0:08:55.400 web server crash because some hacker has compromised tens of 0:08:55.440 --> 0:08:59.240 thousands of Internet connected doorbells and then directed all those 0:08:59.240 --> 0:09:02.800 doorbells to paying your web server. That's something that can happen, 0:09:03.360 --> 0:09:06.720 like those button nets that can do distributed denial of 0:09:06.760 --> 0:09:10.480 service attacks or de dos attacks. It doesn't have to 0:09:10.520 --> 0:09:13.480 be a computer like I often think of computers when 0:09:13.480 --> 0:09:16.880 I think of de DOS attacks. But the truth is 0:09:17.520 --> 0:09:21.400 any network connected device capable of sending a ping to 0:09:21.600 --> 0:09:25.120 a server can potentially be part of a boton net. 0:09:25.600 --> 0:09:29.160 So that includes a lot of devices we connect to 0:09:29.440 --> 0:09:33.600 networks that are not computers or smartphones. And if those 0:09:33.679 --> 0:09:37.719 devices don't have the proper security enabled on them, or 0:09:37.800 --> 0:09:41.320 if we're really lazy and we don't bother to update 0:09:41.360 --> 0:09:45.280 things like default passwords and user names, we can start 0:09:45.320 --> 0:09:50.720 to create the opportunity for some pretty serious mischief. Then, 0:09:50.840 --> 0:09:54.120 of course, there are the tens of thousands of devices 0:09:54.160 --> 0:09:57.120 that have been connected to the Internet, and then subsequently 0:09:57.200 --> 0:10:00.800 the company is responsible for the hardware or the services 0:10:00.800 --> 0:10:04.360 that run on the hardware have stopped supporting them or 0:10:04.520 --> 0:10:07.800 completely gone out of business. If this happens all the time, Right, 0:10:07.840 --> 0:10:10.600 We've got all these different companies that have created Internet 0:10:10.679 --> 0:10:15.720 of Things type devices or components for devices, and then 0:10:15.720 --> 0:10:20.960 the company gets acquired and then effectively services are no 0:10:21.040 --> 0:10:25.240 longer supported for some things. Well, if those devices are 0:10:25.280 --> 0:10:29.720 still connected to networks and they're no longer actively serving 0:10:29.720 --> 0:10:34.440 a purpose, they could potentially act as an entry point 0:10:34.480 --> 0:10:38.120 for hackers as well, right, especially if they use default 0:10:38.559 --> 0:10:42.520 user names and passwords, default log incredentials, because you no 0:10:42.559 --> 0:10:46.200 longer have a company that's actually actively pushing out updates, 0:10:46.240 --> 0:10:49.800 so there's no hope of someone sending out, say a 0:10:49.880 --> 0:10:56.080 firmware update that requires you to change your devices log incredentials. 0:10:56.120 --> 0:10:59.560 So if you've got these orphaned devices that are still 0:10:59.600 --> 0:11:03.240 connect into networks, they can serve as a point of 0:11:03.400 --> 0:11:09.160 entry for hackers. Uh, These these forgotten Internet of things devices. Uh. 0:11:09.320 --> 0:11:11.760 In some cases, forgotten can also just mean that, oh, 0:11:11.840 --> 0:11:15.679 you you connected this thing to your network, you forgot 0:11:15.720 --> 0:11:18.079 you did it, you haven't used it in ages. It's 0:11:18.120 --> 0:11:21.320 still technically connected and still active, but you're not like 0:11:21.800 --> 0:11:26.880 constantly using it. Uh. That can potentially become a vulnerability. 0:11:26.920 --> 0:11:29.319 This is really one of the big problems with Internet 0:11:29.320 --> 0:11:33.040 of things in general is that the Internet of Things 0:11:33.240 --> 0:11:38.880 as a concept depends heavily upon companies that create Internet 0:11:38.960 --> 0:11:44.360 of things products and services remaining solvent and actively supporting them. 0:11:44.480 --> 0:11:46.920 And if they stop supporting them, that the rest of 0:11:47.040 --> 0:11:50.120 us take the effort to remove those devices from our 0:11:50.200 --> 0:11:56.079 networks because they now h constitute a threat to our security. 0:11:56.760 --> 0:12:00.560 That's something that we're not very good at doing. Yet. 0:12:01.679 --> 0:12:06.160 I'll explain a bit about, you know, some examples of 0:12:06.160 --> 0:12:08.640 of where that all went wrong after we come back 0:12:08.679 --> 0:12:20.040 from this quick break. So I thought it would chat 0:12:20.080 --> 0:12:23.240 about some of the instances where hackers were able to 0:12:23.480 --> 0:12:27.960 exploit Internet of things devices. Uh. This isn't to warn 0:12:28.080 --> 0:12:33.080 everyone away from IoT. It's rather to remind ourselves that 0:12:33.200 --> 0:12:37.679 good security goes beyond resetting our router passwords or our 0:12:37.840 --> 0:12:42.520 modem log in credentials, and that it goes beyond being 0:12:42.720 --> 0:12:46.640 savvy with our computer security and and avoiding things like 0:12:46.720 --> 0:12:49.400 phishing attacks and that sort of stuff. All of that 0:12:49.520 --> 0:12:53.079 is important, and I think it still remains true that 0:12:53.320 --> 0:12:57.240 in your typical system, the weakest point is usually the people, 0:12:57.920 --> 0:13:02.320 not the not the systems, not components. But that doesn't 0:13:02.320 --> 0:13:05.719 mean that all components are bulletproof. And if there are 0:13:05.800 --> 0:13:09.760 vulnerabilities and the hacker community learns about it, that information 0:13:09.800 --> 0:13:13.320 can spread quickly in hacker circles and it may not 0:13:13.480 --> 0:13:17.200 get to anyone who can do anything about it until 0:13:17.400 --> 0:13:20.040 it's too late. You know, any time we're talking about 0:13:20.080 --> 0:13:24.480 adding components to a network, we need to think about security. 0:13:24.960 --> 0:13:27.600 Uh do we know? I mean I've been guilty of 0:13:27.640 --> 0:13:29.719 this too. I've added stuff to buy home network and 0:13:29.760 --> 0:13:33.200 then later thought, oh, you know what this thing that 0:13:33.280 --> 0:13:36.440 I just logged into, like I connected to my home network, 0:13:36.480 --> 0:13:38.600 it has a default user name and password that I 0:13:38.600 --> 0:13:42.680 can't change. And I bet there are people out there 0:13:42.720 --> 0:13:45.480 who know what the default user name and password happens 0:13:45.520 --> 0:13:48.599 to be for this particular device. I should just disconnect 0:13:48.600 --> 0:13:50.680 this from our network and not use it. And That's 0:13:50.720 --> 0:13:55.840 what I've done, Sometimes not immediately. Sometimes it's only after reflection. Luckily, 0:13:56.080 --> 0:13:58.240 as far as I know anyway, I've never been the 0:13:58.280 --> 0:14:03.720 target of a true intrusion. But it's not because I 0:14:03.800 --> 0:14:08.120 was careful enough. It's because I was lucky. And you 0:14:08.200 --> 0:14:10.720 can't count on that. And I'm saying this out loud 0:14:10.760 --> 0:14:14.360 so that I remember I can't count on that. So yeah, 0:14:14.440 --> 0:14:17.160 if we if we don't take the right steps, it's 0:14:17.200 --> 0:14:20.120 not like I would say, we're inviting trouble, but we're 0:14:20.200 --> 0:14:24.120 certainly going to be underprepared if trouble happens to find us. 0:14:24.440 --> 0:14:28.960 So let's begin with a big instance of a problem 0:14:29.080 --> 0:14:33.160 that affected not just the Internet of things, uh, category 0:14:33.280 --> 0:14:37.280 of technology, but IoT is certainly part of it. And 0:14:37.320 --> 0:14:40.280 it requires a bit of an explanation. So one thing 0:14:40.320 --> 0:14:42.720 that a lot of different systems, including a lot of 0:14:42.720 --> 0:14:48.960 IoT devices, tend to do, is log Uh. It's it's 0:14:49.000 --> 0:14:52.720 called logging. And now I don't mean that IoT devices 0:14:52.720 --> 0:14:56.280 are all putting on flannel and singing about being a lumberjack, 0:14:56.320 --> 0:15:01.040 and that's okay. No. In this case, log being means 0:15:01.160 --> 0:15:04.600 keeping a record of activity. So there are lots of 0:15:05.280 --> 0:15:08.680 systems out there that log stuff, and that makes sense, right. 0:15:08.680 --> 0:15:11.760 There's some systems that are designed to log something. That's 0:15:11.760 --> 0:15:14.800 all they're meant to do. Like let's say that you've 0:15:14.840 --> 0:15:17.520 got some environmental sensors set up in an area. They 0:15:17.600 --> 0:15:22.840 might be intended to log changes in things like temperature. Well, 0:15:23.080 --> 0:15:26.880 that's the whole purpose of that device. But even beyond that, 0:15:27.040 --> 0:15:30.800 in systems that aren't primarily about logging, they typically do 0:15:30.960 --> 0:15:35.680 have some form of logging capability. So you have Internet 0:15:35.680 --> 0:15:39.240 devices that are part of larger systems that are tracking changes, 0:15:39.400 --> 0:15:44.200 or you've got uh a logging system that logs performance 0:15:44.240 --> 0:15:46.920 information so you know how well your system is performing, 0:15:47.040 --> 0:15:50.560 is it running hot, is it efficient? You have error 0:15:50.600 --> 0:15:56.280 logging systems so that way, whenever anything goes askew, if 0:15:56.320 --> 0:16:01.160 something does not perform to expectations, you get a logged event. 0:16:01.360 --> 0:16:03.840 So that way a technician can later go back and 0:16:03.920 --> 0:16:06.560 see what the heck happened, How can we fix it 0:16:06.640 --> 0:16:08.640 and make sure it doesn't happen again so that doesn't 0:16:08.640 --> 0:16:12.480 interrupt service or worse, Um, you can log security status, 0:16:12.560 --> 0:16:16.400 all sorts of things like this. Well, it's standard essentially 0:16:16.440 --> 0:16:19.120 to have some means of logging errors, because if you 0:16:19.160 --> 0:16:21.680 don't have a way of logging errors, then when something 0:16:21.680 --> 0:16:24.680 goes wrong, it becomes like a murder mystery to figure 0:16:24.680 --> 0:16:26.960 out what the heck happened? Did it in fact go 0:16:27.080 --> 0:16:30.880 wrong or did the end user misuse the technology and 0:16:30.920 --> 0:16:34.680 misunderstand it. So you want to have that logging feature 0:16:34.840 --> 0:16:37.800 to to be able to diagnose problems much more quickly 0:16:37.840 --> 0:16:41.240 and then get to a solution. One set of logging tools, 0:16:42.400 --> 0:16:46.840 which include like a data set, a library set, that's 0:16:46.880 --> 0:16:51.480 that's heavily used in throughout technology, comes from a company 0:16:51.520 --> 0:16:58.080 called Apache. Jump on it. Apache used is used by 0:16:58.080 --> 0:17:01.360 a lot of high profile systems like cloud Flare uses 0:17:01.760 --> 0:17:06.600 Apache and cloud Flare, among other things, provides protections against 0:17:06.680 --> 0:17:09.800 denial of service attacks um. But it's also used by 0:17:09.800 --> 0:17:13.240 stuff like Steam and Twitter. And it had a tool 0:17:13.359 --> 0:17:19.960 called log for J. And what wasn't really known was 0:17:20.040 --> 0:17:22.200 that at least as far back as two thousand thirteen, 0:17:22.720 --> 0:17:26.040 there was a vulnerability in log for J that would 0:17:26.040 --> 0:17:30.800 allow for remote code execution or r c E. And 0:17:30.840 --> 0:17:33.399 that is just what it sounds like. It's a feature 0:17:33.440 --> 0:17:36.960 that lets someone run code on a point on a 0:17:37.040 --> 0:17:40.560 system from a remote location, so you can control a 0:17:40.640 --> 0:17:43.600 system as if you were right there with full access, 0:17:44.600 --> 0:17:47.600 maybe not full access, but with access, so you might 0:17:47.640 --> 0:17:49.760 actually build this into a system on purpose, Right, you 0:17:49.840 --> 0:17:53.879 might want to have remote operators able to access a system, 0:17:53.880 --> 0:17:56.920 but it can also be a vulnerability, like it could 0:17:56.960 --> 0:17:59.879 be something that you've overlooked where someone has figured out 0:17:59.920 --> 0:18:04.080 a way to execute code on a system that otherwise 0:18:04.160 --> 0:18:06.639 they should not have access to. And that was the 0:18:06.680 --> 0:18:09.760 problem with log for J. And you might wonder what 0:18:10.000 --> 0:18:13.359 specifically was going on, how did this happen? What was 0:18:13.440 --> 0:18:15.639 happening on a technical level, So I'll try to explain 0:18:15.680 --> 0:18:19.840 it from a high high viewpoint. The log for J 0:18:20.080 --> 0:18:24.560 tool uses a Java Naming and Directory Interface or j 0:18:24.800 --> 0:18:29.400 n d I. So someone who was trying to take 0:18:29.440 --> 0:18:33.680 advantage of this vulnerability and log for J would send 0:18:33.720 --> 0:18:37.240 a special h T t P or even an HTTPS 0:18:37.640 --> 0:18:41.840 based request to log an event, and they would target 0:18:41.880 --> 0:18:45.960 a server and they would send this UH this request 0:18:46.000 --> 0:18:49.000 which would include in the header a j n d 0:18:49.240 --> 0:18:54.639 I request. So um the target server would receive this 0:18:54.760 --> 0:18:58.600 and likely log this request as an error using log 0:18:58.720 --> 0:19:03.199 for J. Law for J. While logging the error sees 0:19:03.320 --> 0:19:07.240 that there's this j n d I request in the 0:19:07.240 --> 0:19:09.440 header of the request that was sent to them, right, 0:19:09.880 --> 0:19:13.280 And it's so essentially it reaches out to the server 0:19:13.760 --> 0:19:16.520 that sent the request in the first place, the hackers server. 0:19:17.200 --> 0:19:19.040 So this is kind of like someone saying, hey, can 0:19:19.040 --> 0:19:21.360 I help you? I see that you're having some issues, 0:19:21.840 --> 0:19:25.720 only it's a trap. As Admiral Akbar would say. The 0:19:25.800 --> 0:19:31.359 server would then direct this request from the target. You know, 0:19:31.400 --> 0:19:34.119 the target is saying, hey, how can I help. The 0:19:34.240 --> 0:19:38.480 server would direct that request to a directory that would 0:19:38.520 --> 0:19:43.359 contain malicious code, which, when the log for J system 0:19:43.400 --> 0:19:48.480 would continue this this process would activate that malicious code, 0:19:48.520 --> 0:19:51.080 which would then run on the log for Jay's target 0:19:51.119 --> 0:19:54.960 system UM and would create a backdoor access point for hackers. 0:19:55.000 --> 0:19:58.960 So if you've seen thor Ragnarok, this is the classic 0:19:59.400 --> 0:20:03.920 get he routine. That's essentially what the log for J 0:20:04.760 --> 0:20:10.240 vulnerability allowed hackers to do. Was it was like saying, uh, 0:20:10.320 --> 0:20:13.240 something has gone wrong. Log for J is looking into 0:20:13.280 --> 0:20:16.960 it and and the process gets trapped into running this 0:20:17.000 --> 0:20:19.600 malicious code. Didn't work all the time because obviously the 0:20:19.640 --> 0:20:23.159 server that you're targeting had to rely on log for 0:20:23.320 --> 0:20:25.960 J in the first place for this uh this vulnerability 0:20:26.040 --> 0:20:30.000 to be relevant. But this vulnerability and log for J 0:20:30.160 --> 0:20:34.480 persisted in several versions. So every time Apache was sitting 0:20:34.480 --> 0:20:38.880 on a new version of log for j This vulnerability 0:20:39.240 --> 0:20:41.520 was kind of baked in and no one knew about it, 0:20:41.560 --> 0:20:45.479 so it just it stayed there version after version, and 0:20:45.600 --> 0:20:49.119 apparently no one had Apache had noticed it, and no 0:20:49.200 --> 0:20:52.760 one outside of Apache had alerted them to it. And 0:20:52.840 --> 0:20:57.479 that changed on December ninth, twenty one. So remember this 0:20:57.560 --> 0:21:01.159 vulnerability may have been around since like thirteen, and it 0:21:01.200 --> 0:21:08.200 wasn't until someone, someone outside the hacker community figured this out. 0:21:08.600 --> 0:21:12.280 And that was when a security engineer named chen Xiao 0:21:12.400 --> 0:21:16.359 Jun who worked at the Chinese company Ali Baba Cloud, 0:21:16.920 --> 0:21:20.920 sent Apache a notification saying, hey, log for j has 0:21:20.920 --> 0:21:25.960 this critical vulnerability in it. So another side note, Ali 0:21:26.040 --> 0:21:28.879 Baba Cloud actually got into hot water for that because 0:21:28.880 --> 0:21:32.000 the Chinese government was mightily miffed that they were not 0:21:32.119 --> 0:21:37.600 informed of the vulnerability before Apache was told. And that 0:21:37.680 --> 0:21:40.320 sounds a little scary. I mean, maybe they were upset 0:21:40.320 --> 0:21:43.119 because they wanted the opportunity to address the vulnerability in 0:21:43.160 --> 0:21:46.160 their own systems because log for jays used so widely, 0:21:46.920 --> 0:21:49.840 and maybe that's why they were thinking, well, because you 0:21:49.920 --> 0:21:53.600 told them, now there's this window where attackers could attack 0:21:53.600 --> 0:21:57.560 our systems. Or maybe it was implying that the Chinese 0:21:57.600 --> 0:22:00.960 government would have preferred to keep the vulnerability secret and 0:22:01.000 --> 0:22:06.119 potentially use it as an exploit themselves. But whatever the 0:22:06.200 --> 0:22:10.440 log for J tool was is used all over the world, 0:22:10.520 --> 0:22:15.119 and this vulnerability affected any system that used the specific 0:22:15.240 --> 0:22:18.920 versions of log for J that contained this vulnerability, even 0:22:18.960 --> 0:22:21.159 if those systems were just using log for J to 0:22:21.320 --> 0:22:25.520 log errors so that technicians could diagnose system problems. Anyway, 0:22:25.560 --> 0:22:28.000 once word got out, there was a scramble to patch 0:22:28.119 --> 0:22:31.040 systems that were using affected versions of log for J. 0:22:31.720 --> 0:22:34.800 And if you were tuned into network security late in 0:22:35.640 --> 0:22:38.719 one and early in two, you probably heard about the 0:22:38.800 --> 0:22:41.440 log shell exploit. That was the exploit that would allow 0:22:41.480 --> 0:22:46.840 someone to penetrate a system by exploiting this vulnerability, uh 0:22:46.880 --> 0:22:50.919 and haven't run whatever code they wanted. And it was 0:22:51.000 --> 0:22:55.080 and is a huge issue. In fact, hackers have exploited 0:22:55.080 --> 0:22:58.760 the logshell vulnerability to create boton nets. Early ones included 0:22:59.000 --> 0:23:05.000 where one called Marai, which was perpetuated in various ways, 0:23:05.000 --> 0:23:07.480 but the log four J exploit was a big one, 0:23:07.720 --> 0:23:10.960 and another one called mush Stick. And when we come back, 0:23:10.960 --> 0:23:13.639 I'm gonna talk a little bit more about Marai, plus 0:23:13.680 --> 0:23:18.320 some other some other IoT vulnerability issues that we've seen. 0:23:18.920 --> 0:23:32.119 But first let's take another quick break. So back in 0:23:33.480 --> 0:23:37.639 the Marai boton net consisted of thousands of IoT devices 0:23:38.040 --> 0:23:41.320 and it was perpetuated in a couple of different ways, 0:23:41.359 --> 0:23:45.440 and one of them was through malware. And when a 0:23:45.480 --> 0:23:49.080 computer got infected by this particular kind of malware, it 0:23:49.080 --> 0:23:53.600 would immediately start a search for IoT devices that could 0:23:53.600 --> 0:23:57.400 also be infected and added to the button net. So 0:23:57.880 --> 0:24:01.920 one it was essentially doing was making a computer detect 0:24:02.000 --> 0:24:05.239 IoT devices and then use the default user names and 0:24:05.320 --> 0:24:09.360 passwords that manufacturers had set for these devices to try 0:24:09.359 --> 0:24:12.399 and add them to the button net. And because it 0:24:12.440 --> 0:24:16.439 can sometimes be impossible to change the default log in credentials, 0:24:16.440 --> 0:24:19.520 like there just isn't away at least not an easy 0:24:19.560 --> 0:24:22.600 way for the average person to make those changes, or 0:24:23.000 --> 0:24:24.800 a lot of people just don't bother to do it 0:24:24.840 --> 0:24:27.879 even if there is a way to make those changes. 0:24:28.800 --> 0:24:32.560 That meant that these devices were readily available to be 0:24:32.600 --> 0:24:36.840 added to button nets, and uh, stuff like DVR players 0:24:37.160 --> 0:24:41.480 were compromised and joined this bottonet army and the botton 0:24:41.520 --> 0:24:44.399 at the Murai Bottonet launched a massive de dos attack 0:24:44.400 --> 0:24:47.920 in you might even remember it. This was the one 0:24:48.080 --> 0:24:53.120 that that did some pretty big damage. Not I guess 0:24:53.160 --> 0:24:55.719 damage is the wrong word, but it definitely brought stuff 0:24:55.760 --> 0:25:03.160 down for several hours. So that included service is like Reddit, Twitter, Netflix. 0:25:04.080 --> 0:25:07.600 Outlets like CNN and The Guardian were affected, among others. 0:25:08.359 --> 0:25:11.520 According to a ten networks, the hacker group Charming Kitten 0:25:11.600 --> 0:25:16.240 out of Iran leaned on the logshell log for J 0:25:16.440 --> 0:25:18.840 exploit we were talking about before the break. They used 0:25:18.840 --> 0:25:22.520 that same exploit to launch attacks against Israeli servers, including 0:25:22.560 --> 0:25:26.199 ones belonging to the Israeli government. And while companies have 0:25:26.280 --> 0:25:29.800 been rolling out patches to their products that feature log 0:25:29.920 --> 0:25:33.960 for J, the fact that this was a widely dispersed 0:25:33.960 --> 0:25:37.520 tool and library set means it's very tricky to resolve. 0:25:38.440 --> 0:25:42.199 Like imagine it's it's something that's been spread throughout the 0:25:42.240 --> 0:25:45.719 world and then years later you find out, oh, shoot, 0:25:46.480 --> 0:25:49.160 it's got this fatal flaw in it that we didn't 0:25:49.240 --> 0:25:52.440 know about and everybody's got one. Now, how do you 0:25:52.480 --> 0:25:56.440 get the message out so that anyone affected can take 0:25:56.480 --> 0:25:59.159 steps to get rid of that thing. That's kind of 0:25:59.160 --> 0:26:01.960 where we are now. I mean it's the big companies 0:26:02.080 --> 0:26:05.880 started rushing out patches right away. Uh, And these were 0:26:05.880 --> 0:26:08.439 companies that had built log for J into lots and 0:26:08.480 --> 0:26:12.879