First off, I’m not alluding to a gift from the hackers. They’re continually generous by sharing their talents with the internet’s billions of users. Since Day Two, or so, of the advent of internet connectivity—then, over telephone lines—the vulnerabilities within the communication channels that transmit our Amazon purchases and TikTok fodder have been prone to exploitation by creative, not always malicious, hackers.
This is a gift to the black hats of the security population, this Log4j vulnerability. Log4j is a technology product that is within the wider suite of Apache Logging Services. To keep score, there’s two arcane tidbits of your internet use that you should never even read, much less know, about: Log4j and Apache Logging Services. Essentially, Log4j is a journal-keeping application that tracks the activities of its users’ software and programs. Among other purposes, it provides IT folks with red flags that might indicate a cyber-attack.
Suffice it to say that these are programs and services that are integral to businesses’ in-house software configurations that communicate online. If you do in fact already know about Apache’s related services and Log4j itself, then not only did I not add any value to your read today, but you can also school me about them. They’re deep in the developers’ woods, a place I don’t venture.
Because this Log4j thing is incredibly popular and widely used in popular applications, meaning all across the business spectrum and especially in those organizations larger in scale, and likely therefore affecting you as much as any tech stuff I’ve discussed, it is a big deal to have realized a vulnerability within it. Apple, Minecraft, many governments, and countless other entities that you interact with regularly bear the Log4j service and therefore its weaknesses.
Last week we began learning about the effects of the broken Log4j, availing itself to the bad guys. The U.S. Department of Homeland Security weighed in and referred to the issue as “one of the most serious flaws” in cyber security. That same day it was estimated that breaches were attempted against the security hole at a pace of over 5,000 strikes per hour. In the private sector security experts also opined on its vast repercussions. One admitted that the “ticking time bomb” could take years to analyze and repair from the security side, while these thousands of daily attacks were ongoing from the hackers’ side.
Oracle, IBM, the government, and many others directly affected have been actively trying to mitigate the issues, but ultimately can do not much more than pass along the information and make the users aware.
The U.S. government, alongside its acknowledgment of Log4j’s seriousness, alerted businesses, schools, and healthcare facilities. They’re on notice that the problem is pervasive. They were reminded that, as always, the holiday season is particularly vulnerable to cyber-criminals, ever on the lookout for efficiencies in their own sort of twisted sense of the word.
For now, the security flaw has been patched. That is not meant to give much relief because of its massiveness and, as the private security expert predicted, because it will take some time to even understand how widespread and impactful it will be. Hackers, meanwhile, are ripping the wrapping paper off of this one as if they were back in their parents’ house, sneaking from under the tree in the wee December 25 hours. Some actually are doing both this year.
Whether it’s Log4j or any other system-wide vulnerability and exploit, this is neither the last one we’ll encounter this year, nor is it necessarily the most serious one despite the government’s historical estimate. Also, there certainly are no needs for gifting the scofflaws with wide open doors. They’re sophisticated and diligent. They’re traipsing down the Main Street of the information superhighway checking every car door to see what we’ve left open. When they don’t find that low-hanging fruit, they’ll pull out their Slim Jim to breach the entryway. If they cannot finesse that between the interior panel and outside door skin to pop the lock, they’ll just donkey-kick the window in if the treasure trove inside seems worthy.
Don’t feel powerless, though. It’s easy to. I do sometimes. Here, we have trillion-dollar governments, billion-dollar companies, and million-person security forces all with the same goal: Protect the internet and its universal connectivity, and most importantly its nearly infinite amount of personal, financial, and health data. Yet, today this is the story. Later today … another. Yesterday and tomorrow include others. “The new norm” seems to be nearing its status as passé in common parlance though it perfectly fits in this discussion.
We cannot run. The internet is tethered to us. We cannot hide. Only the hackers seem to be savvy enough to truly attain anonymity. We cannot, practically, fight. It would be futile as against the hackers, and it introduces new risks in that we might run afoul of the law by going rogue, trying to tame the Wild West. Instead, we must be aware, knowledgeable, and deploy due diligence. The most powerful forces can’t run, hide, or fight. They are also left with these limited responses of preparedness and intelligence in action. Literally as I was typing my first draft of this column the following email arrived in my inbox:
“INTENDED FOR WIDEST DISTRIBUTION … The Cybersecurity and Infrastructure Security Agency (CISA) invites you to participate in a Broad Sector stakeholder call to discuss the Apache Log4J Vulnerability.”
Thus, at the very least (or possibly, effectively the most), the U.S. government and millions of security actors are hard at work, trying to keep up, and searching for just ends to these ever-present threats. It’s not a gift that seems in kind with the one that the bad guys received as their early Christmas present, but you should accept the glad tidings of comfort and joy nonetheless.
Merry Christmas!
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.
