The Latest: May 2022 News Segment

[00:00:19.310] – Jason Pufahl
So no guest star today. I feel like we did a bunch of episodes in a row we had guest stars.

[00:00:24.150] – Matt Fusaro
Just the three of us.

[00:00:29.370] – Jason Pufahl
Our monthly news segment and I think there’s at least one thing, certainly, that’s making a lot of headlines. That’s the potential hostile takeover of Elon Musk and Twitter, maybe on the outside, it doesn’t feel like there’s much in the way of implications there. But certainly social media platform, large user base, potential ability to, I don’t know, I want to say control the way people think but certainly influence the way people think. There’s some things that we have to think about.

[00:01:06.830] – Matt Fusaro
Yeah. Steve made a good point this morning when we brought it up briefly. It’s not done yet. We’ll see what actually happens after shareholder meeting.

[00:01:15.990] – Steve Maresca
Right. There are a lot of headlines that say Elon Musk acquires Twitter. No, not quite yet.

[00:01:22.810] – Matt Fusaro
The number is crazy, was 44 point something. I think YouTube was bought for what, 1.8 billion by Google. Just a nuts number to me.

[00:01:40.000] – Jason Pufahl
But what services would you rather have, YouTube or Twitter, right?

[00:01:45.170] – Matt Fusaro
Yeah. I don’t know these days. I think YouTube probably makes more money than Twitter. I have to imagine. But I guess from our security angle on this, I don’t know. I think what people are probably more worried about is someone like Elon Musk just suddenly having control over the World’s Forum, if you will.

[00:02:05.470] – Steve Maresca
Well, he stated his opinion as being a free speech absolutist, meaning everyone can come to the table. Free speech has never really meant that in application so chaos can result. I think that’s what a lot of the secondary hub tends to be about on this subject. Absolutely, the return of unpleasant subjects and volatile personalities to Twitter is of high concern, especially in the sphere of cyber warfare and geopolitical concerns. They actually impact public discourse, and no one knows exactly where it will go if he does actually fulfill some of those stated philosophical opinions about the platform.

[00:02:55.380] – Matt Fusaro
Yeah. It’s going to be very interesting to see what changes there. At the end of the day, maybe nothing changes. Who knows? Maybe he just wanted to do that. But I know there’s a mass exodus going on as far as employees, who knows what that means for stability. However that whole platform is managed could just fall apart.

[00:03:15.500] – Steve Maresca
I know a lot of Twitter users would say, hey, 40 something billion dollars, if that gets me an edit button, I’m satisfied.

[00:03:23.890] – Matt Fusaro
Yeah, it’s crazy, but it remains to be seen what this actually means for everyone as far as that goes.

[00:03:31.770] – Jason Pufahl
Yeah. I think we just watch it, and maybe in June or thereabouts we return to it and say this turned into nothing or, oh, boy, it’s terrible.

[00:03:41.890] – Steve Maresca
There’s meaningful impact to us to some degree. Twitter is a fantastic resource for really early alerts about something actionable in the security sphere. If it produces an exodus of high quality users, like that affects us literally. But more in general, I think the message is, well, pour some water on the headlines. There’s some time.

[00:04:04.260] – Jason Pufahl
Yeah. I’m not that worried about the exodus because I feel like they’ll land somewhere. So if it’s not Twitter, then I just go to a different platform and get probably that same information. I agree with you. Probably time to move away from the truth of discussion already. The other bit of news that I think is interesting is the idea of bringing the CVE model, the common vulnerability exposures model that I think a lot of at least security and maybe IT practitioners are used to seeing for flaws and operating systems and applications, etc. Extending that a little bit more towards the cloud space, and I think giving some visibility there. I think it’s right to have a push there. I think there’s a misguided sense that, hey, I’ve moved my workload to the cloud. I no longer have to worry about security.

[00:05:03.140] – Steve Maresca
The big thing behind that is that Mitre the organization that issued CVE Identifiers at the moment doesn’t really designate Identifiers that are deemed to be the responsibility of cloud providers. That’s the general gist of this. But CVE in general as a scheme, are a little long in the tooth, 22 years old or something to that effect. Most of the time, folks in IT, folks in actual IT operations or security operations are frankly struggling with simply how to make sense of the material sense of the information and prioritize appropriately. There’s a lot of ground here that could be improved. I’d certainly welcome something for cloud providers, because –

[00:05:48.590] – Matt Fusaro
The only process that’s there right now that I suppose is not even really sanctioned by anyone is they will let us know if they’re affected by a system. Yeah.

[00:05:57.520] – Jason Pufahl
Voluntary disclosure.

[00:05:59.010] – Matt Fusaro
Yeah. They don’t have their own designation at all and it’s a good point that it would be nice if there was a record, even if they did completely mitigate that. If there was some type of data breach that gets found, maybe even years later, who knows? It’d be nice to have this stuff documented so that we know about it.

[00:06:19.460] – Steve Maresca
Right. I have some other tactical issues with CVE. They’re often published months…They are disclosed months after they were actually created, which is a reasonable thing in many other areas. I don’t want anyone that I’m advocating about immediate disclosure[crosstalk 00:06:36]. All the same, there are a great number of CVEs that have zero information attached to them. There needs to be a balance struck, and most of the time it’s biased towards PR, in my opinion, and not necessarily effective defense. So anything that really increases the odds of a defender to actually make good decisions is something that I perceive as a positive move.

[00:07:07.490] – Jason Pufahl
So the time frame of this, though, do we have clarity on that? It looks like they basically brought a group together to start discussing how this might look, how it might work, and what the implementation process might be. There’s no timetable of, hey, we’ll see this in a year.

[00:07:21.340] – Steve Maresca
No, this is going the usual route of like a request for comments and committee based decision making. There are several consortium like the Cloud Security Alliance and so forth and so forth that are getting together with big players to talk about it.

[00:07:36.930] – Matt Fusaro
It’s more of the community as a consensus, this is probably a good idea. Now, let’s put something.

[00:07:40.830] – Steve Maresca
Exactly it’s on the horizon, but no real expected delivery or arrival.

[00:07:46.190] – Jason Pufahl
Speaking of CVE, then I think at least one of you put on the list talking through one specific CVE, the psychic signatures in Java. I’ll be transparent, I read through it quickly and it’s probably best if one of you to address it.

[00:08:05.340] – Matt Fusaro
Yeah. I mean, talk about long disclosure times. This is a CVE that was November 11 of last year, 2021. The issue was found. It was not fixed until April 19, 2022. Discuss. It appears this is a bug with Java having to do with, it’s a certain type of signature. They’re called ECDSA signatures. I’ll save you with a jargon. Basically, it’s just a signature for verifying certain data activity.

[00:08:47.180] – Steve Maresca
The bug, in a nutshell, would enable an attacker to effectively forge some types of SSL certificates. The thing that protects Https and things of that nature to convince a reliant secondary party that they’re interacting with something legitimate. We’re talking about attacks of deception, interception attacks, things of that sort.

[00:09:12.230] – Matt Fusaro
It looks like this particular problem was an issue across Java 15, Java 16, 17 and 18. So the recommendation right now is to get them all out of production and upgrade. That’s going to be a challenge. So for those of you that don’t know, typically Java stacks like this, you’ll find them in huge types of applications these days. You don’t see it too much in your one offs anymore. You’re going to find them in student information databases, large HR types of applications.

[00:09:47.690] – Steve Maresca
Identity federating platforms, things of that variety.

[00:09:50.210] – Matt Fusaro
Usually things that are important and they’re not changed out very often for a good reason because they’re complicated, expensive.

[00:09:57.210] – Steve Maresca
You mean payroll processing on a Java stack that’s vulnerable to this might be a problem?

[00:10:01.810] – Matt Fusaro
Yeah. I think really the moral of this whole story is just get the heck off Java.

[00:10:07.480] – Jason Pufahl
Yeah. It just seems like there’s always a new Java CVE.

[00:10:10.480] – Matt Fusaro
Yeah, they come constantly. There’s either performance issues or security issues with it. I don’t necessarily have much faith in Oracle making this a better platform anytime soon, so I’m ready to sunset it on my own.

[00:10:26.010] – Steve Maresca
I got a lot of flack internally earlier for saying distorting the usual Java mantra. Write once run anywhere to be right once exploit anywhere. I do want to counter Matt a little bit. If Enterprise runs on Java, it’s not going away. Yeah, Cobalt is still around. Java will be around with the same sort of timeline.

[00:10:45.600] – Matt Fusaro
I don’t disagree there.

[00:10:46.970] – Steve Maresca
Realistically though, because of Java’s ubiquity, we have issues like the log for J issue or the spring for shell problem recently. These are fundamentally in the underlying big infrastructure of the internet and most large companies, and extinguishing these bugs is very challenging. Here are some reasons. You may encounter a server that runs multiple different versions of Java simultaneously in parallel because it’s supported and almost an expectation. Therefore, actually rooting out every little component is a major issue. Java is embedded in devices. It’s embedded in applications that are deployed without the actual IT Department having any awareness that Java is present in it. So actually fixing these problems takes an enormous amount of effort.

[00:11:35.250] – Matt Fusaro
Yeah. It goes back to our conversations that we have quite often this podcast or making sure you have inventory of these things so that when the next job of thing comes up, you at least know where it is, which got to address and have a plan.

[00:11:50.010] – Steve Maresca
I think that just to summarize the exact problem, because it’s a little abstract for many audiences.

[00:11:56.560] – Jason Pufahl
That’s why I saved it for last.

[00:11:57.700] – Steve Maresca
Yeah, if you’re familiar with the Doctor Who series, long running British sitcom/ scifi/drama, whatever you’d like to call it, depending upon the season. The Doctor has a tendency to hold up a blank identity card to say whoever he wants to be at that moment, and induces belief in the observer. That’s being passed around as a somewhat tongue and cheek way of representing what this bug does. Essentially, it allows an attacker to claim that they are whomever they wish to be.

[00:12:32.400] – Steve Maresca
As you might imagine, when identity is used to gain access to data, to systems, to grant privileges, that’s a major issue. I would expect that this one has a long tail. We’ll still be talking about it, at least in vulnerability reports for another couple of years.

[00:12:50.060] – Matt Fusaro
Yeah, it’ll be interesting to see if there’s any public data disclosures that happen because of this. I’m not personally aware of any that are directly related back to this, but I’m sure they’re going to come out and out of this articles up.

[00:13:03.610] – Jason Pufahl
Yeah, if people don’t care about the psychic signature, they at least start watching Doctor Who, right?

[00:13:11.530] – Steve Maresca
Final comment from me, joking manner. Oracle gave this a score, a common vulnerability scoring system score of 7.5, which is in our estimation wildly inappropriate wrong, very wrong. Various other entities in the security sphere and peer researchers have definitely escalated this up to the top of the scale. You should treat it organizationally as such as well.

[00:13:39.130] – Jason Pufahl
That’s good advice. Well, normally we say if you want further discussion around this, hit us up on Twitter or LinkedIn and of course we want to be followed there. But I’m not sure there’s a whole lot to talk about with the Twitter acquisition or the CVE stuff that might be the year plus out. As always, we hope you got some information out of this and certainly pay attention to the job of vulnerability.

[00:14:05.840] – Steve Maresca
If there’s topical news out there that you want to hear us talk about, feed it our way.

[00:14:09.460] – Jason Pufahl
Yeah, that’s fair. We’re always looking for input there. So as always, thanks for listening. We appreciate it and look for future episodes.

[00:14:18.190] – Speaker 1
Stay vigilant, stay resilient. This has been Cybersound.