The Details The Log4J vulnerability in the Java logging package maintained by Apache made headlines late last week. It was disclosed as a Zero Day bug which is easily exploitable, received a CVSS score of 10/10, and includes remote code execution (RCE) on the target host. Associated CVE-2021-44228 is available on the NIST NVD website which provides more information and references including the CISA advisory. The number of Log4J installations has been described as “hundreds of millions” and “countless”. Virtually all Log4J versions (<= 20.14.1 which was released in early March 2021) are vulnerable. The most recent version of Log4J is now version 20.16.0 since subsequent patched updates were released in quick succession on December 6th and December 13th of 2021. If you want to know whether a 3rd party application is vulnerable to re-assess your risk, review the Software Bill of Materials (SBOM), if one has been provided, it…

Read more

When Best Practices Are Infeasible

Cloud Security

IT Security Best Practices are processes and configurations outlined by industry leading standards organizations such as SANS, NIST, and OWASP amongst others. Some examples of best-practices include: keeping software and systems updated, uninstalling all but required applications and services, segmenting critical network resources, and configuring host and network firewalls to first block all traffic, then allow only required traffic by IP and protocol. But are best practices always feasible for an organization? To some, this may seem like a ridiculous question. Most CISO’s would likely rather consider the question the other way around: “Is not having best practices feasible?”, since their jobs depend on the performance of security controls. So why then did John Mandia of Mandiant Security LLC to respond with “it depends” when responding to that question before a US congressional special hearing in response to the SolarWinds malware [1]? Senator Wyden’s question specifically referenced NIST firewall best…

Read more

The Recorded Future web-conference today was a great insight into the deep Cyber-Intelligence technology the company has developed and what it offers organizations. On display were both a definitive set of broad trend data combined with deep and granular information on every aspect of the MITRE ATT&CK framework and beyond. Recorded Future’s LinkedIn profile reports the company as having had Series E funding of $25 million dollars, however Crunchbase reports an even higher total investment of over $50 million dollars.  A press report on PRNewswire in October 2021 outlines Recorded Future’s recent investment in CVE intelligence company Cyber Threat Cognitive Intelligence (CTCI)  and describes the Intelligence Fund; Recorded Future’s investment platform. For anyone as passionate about Cyber-Security, predictive forecasting, and Intelligence as I am, there is a ton to be excited about with Recorded Future’s platform and capabilities.  Here’s what I learned from the conference today. Recorded Future aggregates data…

Read more

Linux Dominates Performance-based Computing Market Share Linux may be less susceptible to cyber-attacks because Windows presents such an attactive target by holding the majority of the desktop marketshare. However, Linux servers dominate the global market in some powerful ways. According to industry reports, Linux OSs comprise 100% of all supercomputers, and over 95% of the top 1 million web servers are running Linux. Linux runs on 90% of all cloud infrastructure and dominates the mobile phone market with > 80% of market share. Embedded operating systems, and RTOS for IoT devices? Again, Linux is by far the most popular OS of choice. If you want more interesting facts about Linux’s market presence, you can Read Nick Galov’s revealing 2021 comprehensive summary of Linux market penetration. Knowing how to conduct a Security Audit of a Linux system and services is very important indeed.  This most often includes whitelisting required applications and…

Read more

What is GVM and OpenVAS? WikiPedia does a really nice introduction to GVM so let jump start our understanding with that: OpenVAS is the scanner component of Greenbone Vulnerability Manager, a software framework of several services and tools offering vulnerability scanning and vulnerability management. All Greenbone Vulnerability Manager products are free software, and most components are licensed under the GNU General Public License. To understand the relationship between OpenVAS and GVM we should refer to the OpenVAS website, which does a good job explaining the relationship between OpenVAS and GVM: In 2019 the branding separation was completed. OpenVAS now represents the actual vulnerability scanner as it did originally and the “S” in “OpenVAS” now stands for “Scanner” rather than “System”. These changes are accompanied by an updated OpenVAS logo. The framework where OpenVAS is embedded is the Greenbone Vulnerability Management (GVM).OpenVAS released with GVM-10 receives numerous performance optimization to address…

Read more

A new type of vulnerability has been disclosed by researchers at Cambridge University in the UK where Unicode Bidirectional Control Characters are used to change the way text appears in the IDE or text editor compared to how the compiler will interpret and compile the source code into an executable.  Proof of concept code has been released for virtually every language including C, C#, C++, Go, Java, Ruby, Python, JavaScript, Rust, and more. Here is a link to the original paper, a GitHub repository released by the authors that includes proof-of-concept code samples for virtually every popular language and the issued CVEs CVE-2021-42574 and CVE-2021-42694, both having severity score of 9.8 “Critical”. Unicode Bidirectional Control Characters are needed in Unicode because Unicode is meant as a super encoding standard which allows all languages (and even emojis) to be contained in a single encoding standard as opposed to say, ASCII which…

Read more

What Is An Axial Flux Motor And Why Is It Better?

Picture of an axial flux motor

What is an Axial Flux Motor?   To skip to the patent data click here. An axial flux motor is an electromagnet based motor technology that uses pulses of electromagnetic charge to create a rotating force .  Axial flux motors are great because they avoid the use of a drive-train altogether. The problem with a drive-train is that it includes a drive-shaft, crankshaft, propeller shaft, and transmission (gearbox).  These components connect together and when working use the kinetic pressure between themselves to transfer power as torque.  However, the connections cause friction and  this friction between components results in a loss of energy.  If you look at the image of the gearbox below, you can see how complex and exact the contact surfaces are, but there is still energy loss at each of those contact points.       A traditional automotive drive-train is inefficient due to the transfer of kinetic…

Read more

Various patent indicators, such as number of citations, technology-cycle-time (TCT), number of claims, renewal status have been used to measure the value of patents with respect to economic value through competitive advantage a company patent holding company gains by holding legal rights to sale of the described technology.  Another use of patent indicators attempts to gain insight into the emerging innovation landscape or “technology lifecycle”. Analysis of knowledge stock demonstrated by a group of patents can forecast potential novel technologies which will hold advantages over existing ones. Forward Citations A patent’s forward citations are references to it received by a later filed patent as opposed to a backward citation which are references listed on a patent grant (or application) itself.  The use of forward citations as a positive measure of a patents importance has been reviewed numerous times in academic literature. The more (forward) citations a firm’s patents receive, the…

Read more

These study notes are provided for students of CompTIA Pentest+ exam. If you notice any problems with the notes, please let me know via email (joseph@ripplesoftware.ca).   General Pentesting Engagement Scoping Information Gathering Vulnerability Scanning Exploitation Process Pentest Tools Exploit Specifics Post Exploit Communication Processes

Read more

Commercially Viable Nuclear Fusion Is Closer Than Ever

Engineering 3D model of a TOKAMAK thermal nuclear fusion engine

The Goal of Reducing Climate Change The OECD advisory on climate change (Green Grown Studies) states that a multi-pronged approach is required to reduce, stop, or reverse climate change. The critical stages in the energy lifecycle that need to be addressed include: Energy generation Transportation Conversion Storage Consumption Smart-grid technology Smart-homes Smart Manufacturing Smart circuits and computer chips Of all the green / renewable sources of power, nuclear fusion has the biggest potential impact. Nuclear fusion is the holy grail of renewable green energy sources and has the potential to drastically reduce CO2 output by replacing other fossil fuels such as coal-fired electricity plants. Other potential sources of renewable power such as solar, wind, geothermal, and hydro offer benefits over non-renewable power such as coal, and oil and gas, but none have the potential to output as much clean energy as realizing commercial of nuclear fusion.  However, a future global…

Read more