I imagine that this sort of thing might be a malware payload so that attackers can get innocent people to do recon for them, essentially masking their presence and causing additional chaos.
Also you should do a video on SDR type diy builds like the other ones you have done with say, the deauther or wifi ducky, something to send 5ghz or more at the max, with a screen, and maybe go nuts and add a few other projects like the two mentioned all in one, call it the iHAC ;)
Not all programmers come with cyber security in mind. They just concentrate either on their task itself or on business case in general. But they do not think how their feature can be attacked. So log4j was made with some weird use case where there was a need to get some stuff from remote server. And like this JNDI lookup was added to a simple logger. And as it is just a logger then few people show an interest towards what is going inside it. If it logs the stuff, then it is good to go. End user is satisfied. Different from some online game where end user can notice all kind of weird bugs and then reports them to the developers for fixing. Logger is just so simple. It does one job: logs. OK, it is possible also to modify logs, but in general one job. And with one job it is difficult to go wrong. So end user is not noticing any bugs and not doing any bug reports to the developer. And like this this vulnerability remained in the logger for so many years before somebody took time to mess around with it and found this vulnerability.
Normally they get visitors from Agencies with 3 letters asking them to built something in for them and forget about it. Of course there are advantages ... doing what they say. On the other side - you have no choice doing something else. I have heared quite some people making software telling me such stories. Especially if you software is able to really protect something FROM THEM.
How did they not see it? They didn’t know what to look for. They had a feature request, they worked it and nowhere in that process was security testing involved. Failure of imagination is the cause of MANY security lapses.
@@old2235 Just a real pain hunting down everything that might be vulnerable. Then hoping the update isn't a problem. Then I had a server mysterious freak out and started wondering... Did I miss something? I completely reinstalled everything fresh and it started bogging down again. To the point I couldn't even SSH in. I got everything working right now.
Yoooo. I’m number 5 and it got 900 views.. Guys.. I did it. I saw Haley’s comet in RUclips tonight, Also if you would like to know a secret that will CHANGE. YOUR. LIFE. ....ever heard of NFT’s..?
Thanks for this succinct instructional. Definitely going to use this in my lab, and then hopefully at work
2021 ended with a blast
What a way too end the year, great content!
Anyone else notice the video length is 13:37… which is pretty leet?
I imagine that this sort of thing might be a malware payload so that attackers can get innocent people to do recon for them, essentially masking their presence and causing additional chaos.
Awesome!!! Btw, do u remember me from ur maker portfolio A year ago? Time flies 😊😊😊😊
Yea, this was a really nice 144 hour day while I was on vacation. So much fun.
How to delete our tokens?
Are any of you messing with the canary token website? It won't load for me.
hey alex, was canarytoken still working? i heard it had broke or something
Watching this while eating my HAXOR Flakes.
Great video, keep up the good work!
Also you should do a video on SDR type diy builds like the other ones you have done with say, the deauther or wifi ducky, something to send 5ghz or more at the max, with a screen, and maybe go nuts and add a few other projects like the two mentioned all in one, call it the iHAC ;)
Two things: 1. How the hell did the programmers of log4j not foresee this? 2. Good to see your ears.
Also this has been there for so many years. I think since 2012.
Not all programmers come with cyber security in mind. They just concentrate either on their task itself or on business case in general. But they do not think how their feature can be attacked. So log4j was made with some weird use case where there was a need to get some stuff from remote server. And like this JNDI lookup was added to a simple logger.
And as it is just a logger then few people show an interest towards what is going inside it. If it logs the stuff, then it is good to go. End user is satisfied. Different from some online game where end user can notice all kind of weird bugs and then reports them to the developers for fixing. Logger is just so simple. It does one job: logs. OK, it is possible also to modify logs, but in general one job. And with one job it is difficult to go wrong. So end user is not noticing any bugs and not doing any bug reports to the developer. And like this this vulnerability remained in the logger for so many years before somebody took time to mess around with it and found this vulnerability.
Normally they get visitors from Agencies with 3 letters asking them to built something in for them and forget about it.
Of course there are advantages ... doing what they say. On the other side - you have no choice doing something else.
I have heared quite some people making software telling me such stories. Especially if you software is able to really protect something FROM THEM.
How did they not see it? They didn’t know what to look for. They had a feature request, they worked it and nowhere in that process was security testing involved. Failure of imagination is the cause of MANY security lapses.
This JNDI remote code exploit was presented at the 2016 US BlackHat conference. Oh well!
So is this how their gonna take the internet temp offline?
It does not take the Internet offline. It just makes it vulnerable. So hackers can enter all kind of systems (simplified explanation) by will.
*they're (contraction of "THEY aRE")
their: for possession
there: for all other uses
Nice and well informative.
Is it illegal?
This is like honey trap right the canary token?
Superb.
Why you blur Admin and Password if you going to say it anyways?... Also we won't be logging into it.
I've been hunting for log4j issues. It sucks!!!
What challenges are you having?
@@old2235 Just a real pain hunting down everything that might be vulnerable. Then hoping the update isn't a problem. Then I had a server mysterious freak out and started wondering... Did I miss something? I completely reinstalled everything fresh and it started bogging down again. To the point I couldn't even SSH in. I got everything working right now.
@@jmr sorry to hear that, if you want to collab do let me know. I remember there's is bypass on the new fix for log4J do check that one out.
@@old2235 Thanks, I'm pretty sure I've got it worked out.
Ye, same here, it was a crazy week when this was announced. So many applications and servers use this.
nice
1337
Yoooo. I’m number 5 and it got 900 views..
Guys..
I did it.
I saw Haley’s comet in RUclips tonight,
Also if you would like to know a secret that will CHANGE. YOUR. LIFE.
....ever heard of NFT’s..?