|
The Biggest Software Vulnerability of All Time
The ‘most serious’ security breach ever is unfolding right now. Here’s what you
need to know.
Much of the Internet, from Amazon’s cloud to connected TVs, is riddled with the
log4j vulnerability, and has been for years
On Dec. 9, word of a newly discovered computer bug in a hugely popular piece of
computer code started rippling around the cybersecurity community. By the next
day, nearly every major software company was in crisis mode, trying to figure
out how their products were affected and how they could patch the hole.
The descriptions used by
security experts to describe
the new vulnerability in an extremely common section of code called log4j border
on the apocalyptic.
“The log4j vulnerability is the most serious vulnerability I have seen in my
decades-long career,” Jen Easterly, U.S. Cybersecurity and Infrastructure
Security Agency director, said in a
Thursday interview on CNBC.
&uuid=(email))
So why is this obscure piece of software causing so much panic, and
should regular computer users
be worried?
Log4j is a chunk of code that helps software applications keep track of their
past activities. Instead of reinventing a “logging” — or record-keeping —
component each time developers build new software, they often use existing code
like log4j instead.
A few weeks ago, the cybersecurity community realized that by simply asking the
program to log a line of malicious code, it would execute that code in the
process, effectively letting bad actors grab control of servers that are running
log4j.
Some people say it surfaced in a forum dedicated to the video game Minecraft.
Others point to a security
researcher at Chinese tech company Alibaba.
But experts say
it’s the biggest software
vulnerability of all time in terms of the number of services, sites and devices
exposed.
Hackers who try to break into digital spaces to steal information or plant
malicious software suddenly have a
massive new opportunity to try
to get into nearly anywhere they want.
That doesn’t mean everything will be hacked,
but it just got a lot easier
to do so — just as if
the locks on half of the homes and businesses in a city suddenly stopped working
all at once.
The vulnerability also gives hackers access to the heart of whatever system
they’re trying to get into, cutting past all the typical defenses software
companies throw up to block attacks. Overall,
it’s a cybersecurity expert’s
nightmare.
Computer programmers and security experts have been working night and day since
the vulnerability was publicized to fix it in whatever piece of software they’re
responsible for. “Some of the people didn’t see sleep for a long time, or they
sleep like three hours, four hours and wake back up,” Ashkenazi said. “We
were working around-the-clock. It’s a nightmare since it was out. It’s still a
nightmare.”
Hackers have already tried to use it to get into nearly half of all corporate
networks around the world, Check Point said. Most of the hacking has focused on
hijacking computers to run bitcoin mining software, a tactic hackers have used
for years to make money.
What can we do?
To take advantage of the vulnerability, hackers have to deliver malicious code
to a service running log4j. Phishing emails — those messages that try to trick
you into clicking a link or opening an attachment — are one way to do so.
Keep an eye out for an influx
of phishing messages in the coming days,
Malik said, as hackers scramble to plant bad code in as many places as possible.
The best thing regular computer users can do is
make sure the apps they use
are updated to their most recent versions,
Malik said. Developers will be sending out patches over the coming days to fix
any log4j issues, and downloading those quickly will be important.
washingtonpost.com
|
&uuid=(email))
