Log4j. Or,
Why on Earth is Java on Mars?
ED NOTE:
This post was written over 2 days, Saturday and Sunday.
By Monday, all manner of exploits were happening.
Cryptocurrency mining software is being installed on systems that
visited websites infected with Log4j.
Some infected computers were enlisted in at least 2 botnets.
Simply put, once your PC becomes a node in a worldwide botnet, your PC
is effectively no longer your own. And it's not just your PC that
is at risk. The malware also tries to enlist IoT devices into its
botnets.
"These malware families recruit IoT devices and servers into
their botnets and use them to deploy cryptominers and perform
large-scale DDoS attacks." That means all things from
your smart watch to your cable set top box is at risk. And if
these devices use your Internet connection, they could be used to infect
your computer no matter how careful your are.
If it weren't for the tornados that devastated several states, and, of
course, the ever popular pandemic, news of the
Log4j vulnerability might have been this weekend's top
story in all media. Thursday, the Log4j vulnerability was first
reported as a vulnerability in the ubiquitous Apache webserver software.
That, however, was incorrect.
"This is not a problem with Apache. The Apache Software
Foundation maintains log4j2. They do a lot of great stuff, not just the
webserver. Log4j is not part of the Apache webserver."
There are a few variations on the name of the vulnerability; but "Log4j" is what the vulnerability is
most commonly called.
What makes this vulnerability so critical is the fact that "More
than 2.5 billion devices running Java, coupled with the fact this
vulnerability is extremely easy to exploit, means that the impact is
very far reaching." Another researcher declared what
I have been saying for 10 years now. The headline says it all.
"The Log4j Vulnerability, Every Java App is a backdoor for
remote code execution."
It was in the Apache webserver software that the
Java based "logging application"
was first discovered. Within 48 hours, the digerati
were ablaze with reporting of Log4j.
“The internet’s on fire right now,” said Adam Meyers, senior
vice president of intelligence at the cybersecurity firm Crowdstrike.
By Friday, Log4j had been "fully weaponized," Meyers said. "Worst
bug impacting the Internet in the last 5 years, at least," declared
Matthew Price, CEO of the web security company Cloudflare, on Twitter.
Saturday, Cybersecurity and Infrastructure Security Agency (CISA)
Director Jen Easterly released a statement on the Log4j vulnerability
that compelled
"federal civilian agencies -- and signals to non-federal
partners -- to urgently patch or remediate this vulnerability."
Notice the chief cyber cop says PATCH!
Recording events that occur within the network, logging,
are essential to the operation of the network. Shocking to much of
the digerati is the fact that Java is still used in so many network
applications. Everything from
Apple's iCloud cloud storage to
Ingenuity, the Mars 2020 Helicopter mission, is powered by
Apache Log4j. If there are Martians living
underground, we may have just crashed their computers.
Another ongoing theme among the digerati is the fact that this
vulnerability has been
known about in security circles since at least 2016.
A presentation about what is now known as Log4j was given by
representatives of Hewlett-Packard at the
BlackHat Conference in 2016. A PDF of the
presentation is available
here. BTW: Professional hackers also
attend Black Hat.
Let me use a phrase so common now as to be a cliché to explain why Log4j
is an issue for us computer users. Look at the Internet as a "supply
chain." In a supply chain there are consumers,
distributors, and producers. In this model, we are the consumers.
Internet operators are the distributors. And we can consider the
various vendors of hardware and software products as the producers.
Using Oracle's Java to power web applications is like a farmer using a
pesticide that is a known carcinogen to fumigate his crops. It may
be the most efficient way to rid of the pests, but the farmer has poisoned
the consumer of his produce. By continuing to rely on Java, these
vendors have created an universal attack surface that
"grants criminals, spies and programming novices alike, easy
access to internal networks where they can loot valuable data, plant
malware, erase crucial information and much more."
It is the "plant malware" action that most concerns us consumers of the
Internet. Planting malware often means exploiting unpatched
systems. Hackers can and do disable antivirus software to infect
computers. Hackers can and do exploit vulnerabilities in home
routers to infect computers. And so on and so on. As you
read this, hackers are using Log4j to plant malware via the Internet in real time
right now. I suggest you run Windows Update manually everyday.
Install any patch that is offered. If your computer is upgradeable
to Windows 11, then do the upgrade. If you considering buying a
new computer, buy it. And then upgrade the new PC to Windows 11.
Log4j is just one of the many lingering unresolved software
vulnerabilities lurking behind the scenes of so many websites. The
crooks leverage these vulnerabilities to plant their malware on
unsuspecting visitors to an infected website. The big names that
come to mind have most likely by now patched their servers. There
are, however, thousands of smaller operators doing they all can to they
fill holiday orders in time. My bet is these website operators,
especially if they administer their own servers, will not, and maybe
cannot, afford the downtime it takes to patch. Google and Apple
can afford system redundancies; Ma & Pa's Salsa Center and Handbag
Emporium probably can't afford such redundancy.
If you run Windows 10, have you installed the November update,
otherwise known as Windows10 21H2? If you have Windows 11, run
Windows Update. There may be one or more out of cycle patches.
I don't know what to tell you about your old router.
Gerald Reiff
|