This is a text automatically translated from Italian. If you appreciate our work and if you like reading it in your language, consider a donation to allow us to continue doing it and improving it.
The articles of Cassandra Crossing I'm under license CC BY-SA 4.0 | Cassandra Crossing is a column created by Marco Calamari with the “nom de plume” of Cassandra, born in 2005.
Double special appointment with Cassandra this week thanks to Log4j, if you are interested you can find the first part of this article here.
This article was written on December 16, 2021 from Cassandra
Cassandra Crossing/ Log4j – it went well this time
The bug of the century could have been used destructively, and it didn't happen; what happens now?
As the 24 infectible readers of Cassandra know, the topic of the next catastrophe on the Internet has always been in the foreground on these pages, particularly when linked to software complexity.
The current hot topic is certainly the log4j library bug; as often happens with highly debated topics, this prevents us from putting the main issues into perspective, which are suffocated by the analysis of details, or even by chatter.
The overlooked and summarized aspect of the Log4j "affair" is easy to say; “This time it went really well for us.”
Systems engineers across the globe, including those at NASA, SpaceX and the various national space agencies, who have been working for days in conditions of total emergency, may not agree; perhaps due to stress they could also react very badly to such a statement.
We therefore try not only to expose it, but to motivate it, and to do this, as usual, we must frame the thing from a historical point of view and rewind the tape; this time to a date as precise as it is distant, namely January 25, 2003.
That day the second most serious global Internet accident occurred (second only to Morris Worms of November 2, 1988, which caused two days of destruction of the newborn Internet).
That Saturday SQLSlammer, a standalone worm capable of self-replicating in a very short time, also because it operated exclusively in RAM, infected 75,000 servers in less than 10 minutes, and caused the most visible and prolonged global slowdown of the Internet.
The slowdown was not caused by malicious actions of the worm, which like the Morris Worm was not malicious because it did nothing but limited itself to self-replicating, but only by the peak of traffic generated by the affected servers, traffic which caused a crisis, and in some cases it also caused the Internet's main routers to collapse.
SQLSlammer, among other things, exploited a well-known flaw in Microsoft SQL server, which Microsoft had been aware of since July 24, 2002, which had quite promptly released a very little considered and publicized software patch, therefore available a good six months before the event , and which at the time very few system administrators had considered and installed.
In the case of SQLSlammer the fact that the solution was immediately available had the positive effect of allowing a relatively quick return to normality; installing the patch and rebooting, which removed SQLSlammer from RAM, was enough.
Perhaps, putting it into perspective, this apparently positive fact was actually negative, because it led to an underestimation of what happened, or rather to its rapid oblivion.
Today, twenty years of malware development have produced software capable of exploiting bugs in a modular, efficient, flexible and, when necessary, completely automatic way; an example for everyone there Mirai botnet.
Now let's assume the Log4j bug, which we remember:
- it is cross platform;
- potentially affects any platform and any operating system that uses Apache and/or Java;
- had no patch available:
- allows the injection and execution of arbitrary software on the affected machine via the Internet
had been exploited by a Botnet strategically programmed by one of the actors in the Malware/Cyberwarware scene.
It would easily have been possible to face the crash, or even worse, the compromise and total control of the majority of the servers exposed on the Internet, which would have required disconnection, complete reinstallation, and the application of patches for each individual server . I repeat for those who have not perceived the enormous work necessary compared to the other cases, reinstall and patch every single-server-exposed-on-the-internet, whether physical, virtual or dockerized.
A nightmare compared to which recovery from SQLServer or even the Morris Worm seems like simple temporary inconveniences.
Cassandra likes to keep things short, and there is no need to repeat concepts, stringing together buzzwords and superlatives to lengthen the narrative.
At the end of the day, where is the problem today?
Let's ask ourselves how much the "Internet decision makers" have learned in the last twenty years; the systems engineers, their managers who must ask for budgets for IT security and disaster recovery and their boards of directors who should decide to invest mountains of money to mitigate the next "Black Swan" of the Internet, like the one that Log4j could have caused .
The causes of the systematic underestimation of IT security by companies are still there; too often the reaction to incidents is a greater investment in insurance policies and public relations, rather than in IT and operational security.
And let's not forget that a new class of "national" actors and criminal organizations is amassing cyber weapons in arsenals, small and large, ready to be used as weapons in traditional wars or terrorist attacks.
If rivers of money are not spent really in improvements in IT and operational security by technicians and systems engineers, and not diverted by officials and managers towards other objectives, it will mean that nothing will have changed, and that the next botnet, the next attack by a malicious actor or the first act of first cyber war could consist of the prolonged disabling of the Internet and its resources, also carried out, where necessary, in a selective manner.
Is the scenario outlined in these few lines by your favorite prophetess scary enough?
Did it terrify you, or at least seriously worry you?
Let's hope so; in this case Cassandra will have managed to do her job.
Marco Calamari
Video column “A chat with Cassandra”
Cassandra's Slog (Static Blog).
Cassandra's archive: school, training and thought
Join communities
If you have found errors in the article you can report them by clicking here, Thank you!