Last weekend was a bad time to be a server administrator. A critical vulnerability emerged in Apache Log4j. The big problem? Attackers have the chance to exploit the open-source Java package that all kinds of applications, from Twitter to iCloud, use to execute any code an attacker chooses.
That's as scary as it sounds.
What the Apache Log4j Exploit Means for You and Me
I spoke with cybersecurity researcher John Hammond from Huntress Labs about the exploit and the subsequent scramble to mitigate the damage. Hammond recreated the exploit on a Minecraft server for his YouTube channel, and the results were explosive.
Q: What is this exploit? Can you explain what is happening in layman's terms?
A: This exploit allows bad actors to gain control of a computer with a single line of text. In layman's terms, a log file is retrieving a new entry but happens to be reading and actually executing upon data inside the log file. With specifically crafted input, a victim computer would reach out to and connect to a separate malicious device to download and execute any nefarious actions that the adversary has prepared.
Q: How hard was it to replicate this exploit in Minecraft?
A: This vulnerability and exploit is trivial to set up, which makes it a very attractive option for bad actors. I have showcased a video walkthrough demonstrating how this was recreated in Minecraft, and the “attacker's perspective” takes maybe 10 minutes to set up if they know what they are up to and what they need.
Q: Who is affected by this?
A: Ultimately, everyone is affected by this in some way or another. There is an extremely high chance, almost certain, that every person interacts with some software or technology that has this vulnerability tucked away somewhere.
We have seen evidence of the vulnerability in things like Amazon, Tesla, Steam, even Twitter and LinkedIn. Unfortunately, we will see the impact of this vulnerability for a very long time, while some legacy software may not be maintained or push updates these days.
Q: What do affected parties need to do to keep their systems safe?
A: Honestly, individuals should stay cognizant of the software and applications they use, and even do a simple Google search for “[that-software-name] log4j” and check if that vendor or provider has shared any advisories for notifications regarding this new threat.
This vulnerability is shaking up the whole Internet and security landscape. Folks should download the latest security updates from their providers as quickly as they are available and remain vigilant on applications that are still awaiting an update. And of course, security still boils down to the bare-bones basics you can't forget: run a solid antivirus, use long, complex passwords (a digital password manager is strongly recommended!), and be especially aware of what is presented in front of you on your computer.
Recommended by Our Editors
Like what you're reading? You'll love it delivered to your inbox weekly. Sign up for the SecurityWatch newsletter.
Cops + Data Brokers = Legal Loopholes
Criminals in old movies always knew their way around both the right and wrong sides of the law. If a police officer threatened to bust down their door, they'd just smirk and say, “Oh yeah? Come back with a warrant.”
In today's reality, police don't need to bother getting a warrant for your data if they can buy the information from a data broker. Now, we aren't ones to romanticize law-breaking, but we don't like possible abuses of power, either.
As PCMag's Rob Pegoraro writes, data brokers provide law enforcement and intelligence agencies ways to get around the Fourth Amendment by allowing the sale of information collected about private citizens. The FBI signed a contract with a data broker for “pre-investigative activities” in one example.
Thanks to convoluted app privacy policies and data broker terms and conditions, the average American citizen probably doesn't know how their phone’s location data gets into a law enforcement database. Does that bother you? If so, it's time to take matters into your own hands and stop the data collection at the source. Use the location privacy features Apple and Google offer to keep your location a secret from your apps. iOS lets users keep any app from knowing their location, and Google's Android 12 adds similar controls.
What Else is Happening in the Security World This Week?
Like What You're Reading?
Sign up for Security Watch newsletter for our top privacy and security stories delivered right to your inbox.