What is Log4J / Log4 Shell?
Log4j is a computer program. It was written a couple of decades ago. It has been incorporated into zillions of other computer programs by companies all over the world. This includes Google, Apple, IBM, Facebook, browsers like Firefox, etc, etc, etc. Depending on brand and model, it also includes smart TVs, security cameras, doorbells, etc.
what’s the problem?
A mistake (vulnerability) in the program was recently discovered. The mistake is very serious because cybercriminals can take advantage of the vulnerability to take complete control of the computer on which log4j is running.
Think of it analogous to a lock on doors. Imagine if it were discovered that there were a mistake in all the Schlage locks in all the hotels in the world and the mistake (vulnerability) allowed anyone to open the lock with a toothpick. The result would be that every hotel would have to fix all of their locks.
This is the situation with Log4j. The mistakes in Log4j are being fixed just like Schlage could fix the mistake with their lock. But now every company that has used Log4j in their computer programs has to update their programs with the new fixed Log4j. As companies who develop software update their programs, every business and every home user has to install these updates on their computers.
Incidentally, it’s not just Log4j that has a mistake in the program. Computer programs are very complex and there are mistakes in most of them. Big programs can have 1,000s of mistakes in them. Good companies have special teams that are always looking to find these mistakes and fix them. They want to do this before the cybercriminals find the mistakes. If the cybercriminals find the mistakes before the company does … or before the businesses and home users update the programs on their computers … then the bad guys can exploit the mistakes to break into these computers.
Is it dangerous?
It’s incredibly dangerous because the Log4j mistake gives cybercriminals an extremely easy way to break into computers. Jan Easterly, Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) says Log4J is the most serious cybersecurity challenge she’s ever seen. Here is an interview Ms. Easterly did with NBC.
Is it from enemies?
In so far as we know it’s not from enemies. The Log4j program was most likely written by regular software developers. Good people who … like other programmers … made mistakes in the program they wrote. The mistake was just recently found. And now our enemies are aggressively taking advantage of the mistake to conduct their nefarious activities like cybercrime and cyber espionage.
Does it represent possible harm?
Absolutely.
Can it take down systems like bridges, water, oil pumps, etc.? Can it cripple infrastructure?
Absolutely. Any systems with computers that’s connected to the internet is at risk.
This is why there’s a full-court press to get this fixed as quickly as possible and for organizations to be on high alert for attacks. CISA, for example, has made it mandatory for government installations to update their programs. (CISA has this authority for government systems but not for private industry.) CISA and the cybersecurity community are working diligently with program developers to find and update programs containing the Log4j. I’ve read Google has 500 engineers working on the Log4j problem. The larger companies in our critical infrastructure — water, food, financial services, energy, etc — are working feverishly to get their systems updated. Fortune 1,000 companies are also hard at work updating their programs.
Thus, while the risk is high, I don’t think it likely that this will result in any part of the critical infrastructure being crippled. Maybe an incident here or there but nothing that’s “crippling.”
The greatest danger I foresee is with smaller businesses who don’t have good IT support. They’re typically not aggressive in updating their programs and so may likely be sitting ducks.
What should home computer users do?
To protect their home computers, users need to be extremely vigilant in keeping the programs on their computers patched and updated. (This is #8 below).
So you know what programs require updating, every Sunday SecureTheVillage publishes the Weekend Vulnerability Report. The Report is a good place to get information on common programs needing to be updated. We publish the Report on LinkedIn and Twitter and email it to the SecureTheVillage community bundled with our Cybersecurity News of the Week. You can sign up to get our Cybersecurity News of the Week & Weekend Patch Report here. Make sure you’re running the most up-to-date versions of all the programs on our list.
Here’s a basic list of 8 basic things that you should do … not just because of Log4j but because the Internet is dangerous. Think of the Internet like covid. It’s very dangerous unless you take precautions. Log4j is like Omicron, making the Internet even more dangerous.
- Guard Against Identity Theft: Freeze your credit at the 4 credit bureaus.
- Use Strong Passwords: Use long, unique passwords for your important online accounts, like government, banks, investments, credit cards, etc.
- Be Cautious with Email: In email, avoid clicking on attachments or links unless they are expected and you’re sure of source. (Some of the emails you’re getting about Log4j may be the work of cybercriminals who have sent you links or attachments that are booby-trapped so when you open them, they take over your computer.)
- Use Antivirus: Use antivirus on your personal computers and smartphones
- Encrypt Your Files: Encrypt all the files on your computers and smartphones
- Backup Your Important Information: Create remote, multi-version backups of personal computer and smartphone files.
- Use Two-Factor Authentication: Set up two-factor authentication (2FA; MFA) at all your important online accounts like government, banks, investments, credit cards, etc.
- Keep programs Up-to-Date: Keep software (operating system, web browser, apps, …) up to date on all PCs and smartphones.
