The biggest, most critical software vulnerability of the past decade. Not an ordinary one zero day – an undiscovered software bug that allows hackers to break into computers – but a cluster bomb, which has left hundreds, if not thousands, of security holes in all kinds of computer systems worldwide – including in places where it was not expected.
Cybersecurity experts worldwide are in all states about the harmless-looking log tool Log4J. What is going on?
Log4J is one of the building blocks of the internet, but it turned out to contain a serious vulnerability at the end of last week. And that while it is very widely used in all kinds of computer programs. Log4J, as the name suggests, simplifies the registration (logging) of actions performed by computer programs written in the Java programming language. It thus creates a reference book with technical details. Developers use those log files to see if their programs are functioning properly.
However, Log4J turned out not only to record those actions, but also tried to execute them. By cleverly manipulating the registrations, hackers can have Log4J download and execute their own malicious code. They can take over systems, install ransomware or steal sensitive data. That in itself is cause for concern, but the problem with Log4J is more vicious. Nobody knows exactly which programs and systems use the log tool.
high/high
On Friday, the National Cyber Security Center (NCSC), a part of the Ministry of Justice and Security responsible for digital security in the Netherlands, sent the strongest possible warning about the problems. The classification: high/high – a high risk of abuse, with a high probability of serious consequences.
“Log4J is like sugar,” explains Hans de Vries, director of the NCSC. “It’s everywhere, even in places where you don’t expect it. It is complex because it is a supply chain issue: one developer uses a piece of code and another developer also uses that. Log4J is sometimes part of software without people even knowing that it is part of software. That’s what makes it so different.”
Log4J is open source – anyone can use the software in their own programs. Programmers don’t like to reinvent the wheel, so if someone else has written an apparently well-functioning program that makes logging easier, it will find its way into other programs as well.
Dave Maasland, director of security company ESET, compares Log4J to asbestos. Asbestos can be found in houses that were built during a certain period. Everyone used Java at some point. Companies now have to conduct digital asbestos research: break down the walls and see whether they also use this tool.”
calamity
The problems are so complex that the NCSC is more prominent as a coordinator, says De Vries. “Unlike previous problems, for example around the Microsoft Exchange servers, there is now not one software package that companies know they are using. You can then turn it on or off, or make it more secure. Log4j is different.”
Read alsoLeak at Microsoft Exchange hits companies at heart
Last weekend, the NCSC formally labeled the problems surrounding Log4J as a calamity. On Saturday and Sunday, the center hosted digital meetings with cybersecurity industry experts to get to grips with the issue. Martijn Jonk, head of the emergency team, says: “If we as the NCSC, with our generally very good information position and international network, already have a lot of questions, then you can say that many others also have questions.”
Because there are many questions: what does Log4J contain? Are those systems vulnerable? Have suppliers already found a solution? Are there scans available that can automatically detect the vulnerabilities?
The conversations lead to a digital list of potentially vulnerable software, which is also internationally regarded as an important source of information. The list has more than a thousand products. Rather, the question is which large tech companies are not on it: Amazon, Oracle, Cisco, Microsoft, Siemens are all on it.
Read alsoLeaking software undermines healthcare
The volunteers who manage Log4J distributed a new version last Thursday, in which the gap has been closed. Normally the advice is: install the update (patching) and then see if no one has penetrated in the meantime. Now the advice of the NCSC is different. Jonk: „We say: be alert and prepare for abuse. That means: assume that hackers will abuse your system in the coming period. A lot of organizations don’t know if they have Log4J somewhere in their systems and none of the scan tools work 100 percent.” The list will continue to grow, De Vries expects. “Suppliers are still investigating whether they are vulnerable. Computer programs that are not directly connected to the internet can also be vulnerable. It really is a headache.”
Bells and whistles
Cybersecurity expert Bert Hubert delved into the source code of Log4J in recent days and was amazed at what he found there. “Log4J is 200,000 lines of code. That’s really really long, while it only needs to write log lines. There are all features in and bells and whistles and it just goes on. It makes me feel like we’re not done with this yet. I do not rule out that more problems will be found.”
Every program can contain errors, says NCSC director De Vries. “With both open and closed source you are dependent on a number of developers who put their heart and soul into it and can make a mistake once in a while – it is possible.” Just because something is open source and popular doesn’t mean it should just be trusted, says Hubert. ESET Director Maasland: “The question is also: whose job is it to actually look at the code, and if no one is looking, then what?”
According to De Vries, more attention should be paid to information security among programmers. “This shows that we are dependent on large pieces of software and that if something goes wrong we can solve the problems, but it is even better to prevent them. We need to ensure that the current generation of programmers programs with security in mind. At least that helps the shit of the future.”
On Wednesday, the NCSC is organizing a meeting for system administrators or IT managers who are not directly under its responsibility. Jonk: “Although we still see limited abuse of Log4J, that doesn’t mean anything at the moment. Cyber criminals may already be inside, but have not yet been spotted. We are very concerned about the coming period. We just don’t really know what that will look like yet.”
In the coming days, major software companies will quickly provide a definitive answer as to whether their software is vulnerable to Log4J abuse and publish patches if necessary. Hubert is more concerned about another group: “Banks, insurers and other companies that once had custom software made. This has been in use for a long time and the contact with the supplier is about to end. Java programs run quietly for seven or ten years. In such programs we will also discover in 2026 that there is an old Log4J in it
A version of this article also appeared in NRC in the morning of December 15, 2021
#cluster #bomb #computer #systems #worldwide