RE: Why Is Log4j Allowed To Exist And Proliferate?

Where are the best people? Are they in the group that doesn’t want to work or in the group who Lives To Hate America and wants to turn it into the country they supposedly fled?

Where are all the IT (information technology) geniuses we’re always hearing about? Companies don’t want to pay for security?

Why can’t the FBI solve this? It seems like they’re never around when the serious crimes go down; they spend too much time snooping into people’s bedrooms; what’s the point; what does that solve?

I guess they’ll get off the table when they get hit. Next stop, could be you.

All these government institutions and agencies keep saying is they’re keeping us safe. No they’re not. It’s a lie, otherwise we wouldn’t be hearing stories like these.

What is this an advertisement for cyber attack specialists? It’s an employment ad? Better pay them what they’re worth, instead of spending all your money paying snitches for tips that never pan out.


Yahoo Finance

Log4j: Why this massive security flaw is impacting nearly all of the internet

Daniel Howley·Technology Editor

Fri, December 17, 2021, 5:23 PM

A major cybersecurity vulnerability is impacting nearly all of the internet, sending everything from financial institutions to government entities scrambling to patch their systems, before cybercriminals and nation states can launch cyberattacks.

Known as the Log4j vulnerability, the flaw impacts a piece of open-source logging software that allows developers to understand how their programs function. The idea is to help companies understand potential bugs or performance issues in their own software.

But Log4j, which is part of the software offered by the open source Apache Software Foundation, can be exploited to allow attackers to take over the computers and networks of any organization running the program.

Patches have already been released, but applying them is a different story. Organizations, whether government or private, are notoriously slow when it comes to updating their software.

“It’s a very, very serious issue,” NYU Tandon School of Engineering associate professor Justin Cappos told Yahoo Finance. “Since it’s part of the software supply chain, many different pieces of software can be affected.”

The fear is that the flaw could be used by attackers to take remote control of any unpatched system and use them as their own. That, experts say, could give cybercriminals the means to do everything from stealing user data to taking control of real-world infrastructure.

The danger of Log4j

The Log4j vulnerability is dangerous for two reasons: how widely used the software is, and how attackers can take advantage of the flaw.

“If you have the vulnerability, and I exploit it, that means I can run my code on your machine,” explained Herb Lin, senior research scholar at the Center for International Security and Cooperation at Stanford University. “So now it’s like I’m on your machine, and now I can do anything that you can do.”

According to Lin, that can include doing things like stealing emails, destroying files, and installing ransomware. And the potential damage doesn’t stop there.

“I can now take control of the generator that your computer is connected to or the telephone switch or the chemical plant and so on and so forth,” Lin said. “So that’s the issue. The vulnerability comes from the fact that this code has been a part of millions and millions and millions of installations around the world.”

The Log4j flaw can be used to do everything from attacking corporate email systems to impacting real-world infrastructure.

The Log4j flaw can be used to do everything from attacking corporate email systems to impacting real-world infrastructure.

Another major problem is the fact that you, as an individual, have no control over whether the internet companies you trust to protect your files will deploy the appropriate patches quickly.

“If there’s a bug inside of Microsoft Word I might be able to go and say, ‘Oh, I don’t use Microsoft Word. I don’t need to worry about this,’ right? But here the problem is that you may not even be aware where the software is being used,” said Cappos.

Criminals and nation states are already trying to exploit the vulnerability

According to Microsoft’s threat intelligence team, the majority of the attacks related to the Log4j vulnerability have been related to scanning attempts. That means the attackers are trying to see whether potential victims are vulnerable to attack.

Think of it like a burglar trying the door locks on a row of cars parked on a dark street. The cybercriminals are essentially trying to see who has locked their doors and who hasn’t.

Some hackers, meanwhile, are already using the flaw to launch attacks, including installing crypto miners on victims’ machines, stealing user credentials, and taking data from compromised systems.

Microsoft (MSFT) says groups in Turkey, China, Iran, and North Korea are also developing the means to take advantage of the Log4j flaw. And some Iranian and Chinese groups are already using the exploit to beef up their own existing cyber attack capabilities.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has already ordered federal civilian agencies to patch their systems and has advised that non-federal partners do so as well.

Patching the internet isn’t easy

Fixing a problem like the Log4j flaw requires that companies that use the software download the appropriate patch. But it will take time for companies to implement the latest software. That’s because major organizations have to also ensure that the patch doesn’t impact their own programs.

More cynically, there’s the fact that some companies simply don’t follow the best cybersecurity practices and so don’t patch their systems in a timely manner, if at all.

What can you do? Nothing, really. The Log4j flaw isn’t something that most individual users can address. It’s up to the companies that have their information to address the exploit on their own. And if they don’t, then your data could leak out there into the wild.



Join 87 other followers

  • A Supercharged Hit Elicits A Supercharged Response
    A Supercharged Hit Elicits A Supercharged Response
  • War And Peace
    War And Peace
  • The CIA Knows My God

    The CIA Knows My God

  • The Under-Represented People

    The Under-Represented People

Published by Sharon Lee Davies-Tight, artist, writer/author, animal-free chef, activist

CHEF DAVIES-TIGHT™. AFC Private Reserve™. THE ANIMAL-FREE CHEF™. The Animal-Free Chef Prime Content™. ANIMAL-FREE SOUS-CHEF™. Animal-Free Sous-Chef Prime Content™. ANIMAL-FAT-FREE CHEF™. Fat-Free Chef Prime Content™. AFC GLOBAL PLANTS™. THE TOOTHLESS CHEF™. WORD WARRIOR DAVIES-TIGHT™. Word Warrior Premium Content™. HAPPY WHITE HORSE™. Happy White Horse Premium Content™. SHARON ON THE NEWS™. SHARON'S FAMOUS LITTLE BOOKS™. SHARON'S BOOK OF PROSE™. CHALLENGED BY HANDICAP™. BIRTH OF A SEED™. LOCAL UNION 141™. Till now and forever © Sharon Lee Davies-Tight, Artist, Author, Animal-Free Chef, Activist. ARCHITECT of 5 PRINCIPLES TO A BETTER LIFE™ & MAINSTREAM ANIMAL-FREE CUISINE™.

your opinion matters. let's hear it.

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: