TechDigits

Tech news
Tuesday, Mar 28, 2023

Log4j software flaw 'endemic,' new cyber safety panel says

Log4j software flaw 'endemic,' new cyber safety panel says

A computer vulnerability discovered last year in a ubiquitous piece of software is an “endemic” problem that will pose security risks for potentially a decade or more, according to a new cybersecurity panel created by President Joe Biden.
The Cyber Safety Review Board said in a report Thursday that while there hasn’t been sign of any major cyberattack due to the Log4j flaw, it will still “be exploited for years to come.”

“Log4j is one of the most serious software vulnerabilities in history,” the board’s chairman, Department of Homeland Security Under Secretary Rob Silvers, told reporters Wednesday.

The Log4j flaw, made public late last year, lets internet-based attackers easily seize control of everything from industrial control systems to web servers and consumer electronics. The first obvious signs of the flaw’s exploitation appeared in Minecraft, a hugely popular online game owned by Microsoft.

The flaw’s discovery prompted urgent warnings by government officials and massive efforts by cybersecurity professionals to patch vulnerable systems.

The board said Thursday that “somewhat surprisingly” the exploitation of the Log4j bug had occurred at lower levels than experts predicted. The board also said that it was unaware of any “significant” Log4j attacks on critical infrastructure systems but noted that some cyberattacks go unreported.

The board said future attacks are likely in large part because Log4j is routinely embedded with other software and can be hard for organizations to find running in their systems.

“This event is not over,” Silvers said.

Log4j, written in the Java programming language, logs user activity on computers. Developed and maintained by a handful of volunteers under the auspices of the open-source Apache Software Foundation, it is extremely popular with commercial software developers.

A security researcher at the Chinese tech giant Alibaba notified the foundation on Nov. 24. It took two weeks to develop and release a fix. Chinese media reported that the government punished Alibaba for not reporting the flaw earlier to state officials.

The board said Thursday it found “troubling elements” with the Chinese government’s policy toward vulnerability disclosures, saying it could give Chinese state hackers an early look at computer flaws they could use for nefarious means like stealing trade secrets or spying on dissidents. The Chinese government has long denied wrongdoing in cyberspace and told the board that it encourages improved information sharing on software vulnerabilities.

The board offered a number of recommendations on mitigating the fallout of the Log4j flaw as well as improving cybersecurity generally. That includes the suggestion that universities and community colleges make cybersecurity training a required part of computer science degree and certification programs.

The Cyber Safety Review Board is modeled after the National Transportation Safety Board, which reviews plane crashes and other major accidents, and was mandated by an executive order Biden signed last May. The 15-member board is made up of FBI, National Security Agency and other government officials as well as people from the private sector. Some supporters of the new board criticized DHS for taking so long to get it up and running.

Biden’s executive order directed the board to conduct its first review on the massive Russian cyber espionage campaign known as SolarWinds. Russian hackers were able to breach several federal agencies, including accounts belonging to top cybersecurity officials at DHS, though the full fallout from that campaign is still unclear.

Silvers said DHS and the White House agreed that reviewing the Log4j flaw was a better use of the new board’s expertise and time.
Newsletter

Related Articles

TechDigits
Close
0:00
0:00
AOC explains why she opposes banning TikTok
Gordon Moore, a co-founder of Intel Corporation, died at 94
Donald Trump arrested – Twitter goes wild with doctored pictures
Credit Suisse's Scandalous History Resulted in an Obvious Collapse - It's time for regulators who fail to do their job to be held accountable and serve as an example by being behind bars.
Russian Hackers Preparing New Cyber Assault Against Ukraine
A brief banking situation report
Elon Musk Is Planning To Build A Town In Texas For His Employees
The Silicon Valley Bank’s collapse effect is spreading around the world, affecting startup companies across the globe
Market Chaos as USDC Loses Peg to USD after $3.3 Billion Reserves Held by Silicon Valley Bank Closed.
Banking regulators close SVB, the largest bank failure since the financial crisis
In a major snub to Downing Street's Silicon Valley dreams, UK chip giant Arm has dealt a serious blow to the government's economic strategy by opting for a US listing
It's the question on everyone's lips: could a four-day workweek be the future of employment?
Corruption and Influence Buying Uncovered in International Mainstream Media: Investigation Reveals Growing Disinformation Mercenaries
Being a Tiktoker might be expensive…
China's top tech firms, including Alibaba, Tencent, Baidu, NetEase, and JD.com, are developing their own versions of Open AI's AI-powered chatbot, ChatGPT
This shocking picture, showing how terrible is the results of the earthquake in Turkey
The desk of King Carlos Alberto of Sardinia has many secret compartments
Charlie Munger, calls for a ban on cryptocurrencies in the US, following China's lead
First generation unopened iPhone set to fetch more than $50,000 at auction.
Almost 30% of professionals say they've tried ChatGPT at work
Interpol seeks woman who ran elaborate exam cheating scam in Singapore
What is ChatGPT?
Tesla reported record profits and record revenues for 2022
Microsoft is finalising plans to become the latest technology giant to reduce its workforce during a global economic slowdown
Tesla slashes prices globally by as much as 20 percent
After Failing To Pay Office Rent, Twitter May Sell User Names
FTX fraud investigators are digging deeper into Sam Bankman-Fried's inner circle – and reportedly have ex-engineer Nishad Singh in their sights
TikTok CEO Plans to Meet European Union Regulators
U.S. Moves to Seize Robinhood Shares, Silvergate Accounts Tied to FTX
Coinbase to Pay $100 Million in Settlement With New York Regulator
FTX assets worth $3.5bn held by Bahamas securities regulator
Former FTX CEO Bankman-Fried finally arrested in Bahamas after U.S. files charges
Corruption works: House Financial Services Chair Waters doesn't plan to subpoena her donor, Sam Bankman-Fried, to testify at hearing on FTX collapse
Yellen hints at ‘national security’ probe into Twitter purchase
Elon Musk reinstates Donald Trump's Twitter account.
George W. Bush and Barack Obama will hold back-to-back disinformation conferences
Solar + Powerwall ensures you never lose power, even if the grid goes down
This man paid for strangers' grocery and it moved them to tears
Meta introduces a new version of Mark Zuckerberg
Virtual Reality on billboards: BMW advertisement on Times Square
Apple CEO Tim Cook says coding should be taught as early as elementary school: 'It's the most important language you can learn'
Apple Executive Resigns After Viral TikTok Shows Him Making Crude Jokes
Huawei is not only better technology, but also protecting users better: Apple Warns Of Security Flaw For Iphones, Ipads And Macs
Mark Zuckerberg warns many teams will ‘shrink’ as Meta revenue drops
Elon Musk reportedly begged for forgiveness after his affair with Google co-founder Sergey Brin's wife
J.P. Morgan’s wealth management guru has some advice for recent college graduates on managing money and building wealth
Pentagon widens scope of UFO-hunting unit
Bezos' girlfriend Lauren Sanchez gives $1M to group focused on migrant kids at US-Mexico border
Hong Kong gets its first metaverse churches with avatars and virtual preachers
The ‘Dirty Quid Pro Quo’ Between Democrats and Big Tech
×