Published on December 21st, 2021 📆 | 6541 Views ⚑
0Why is the Log4j cybersecurity flaw the ‘most serious’ in decades?
A newly discovered cybersecurity flaw is affecting vast swaths the internet from Google and Amazon to the systems used to run militaries and hospitals, with US Homeland Securityâs top cybersecurity official calling it the most serious vulnerability in decades.Â
The flaw is present within a popular piece of software called Log4j, which is part of the ubiquitous programming language Java. Log4j is used by millions of websites and apps â and the softwareâs flaw potentially allows hackers to take control of systems by typing a simple line of code, according to cybersecurity experts.Â
âThe log4j vulnerability is the most serious vulnerability I have seen in my decades-long career,â Jen Easterly, the director of the US Cybersecurity and Infrastructure Security Agency, said Thursday on CNBC.Â
Most hacking attempts using Log4j so far have involved attackers trying to install cryptocurrency âminingâ software on victimsâ computers. However, an Iranian hacking group called âCharming Kittenâ has also tried to use the vulnerability to breach government agencies and businesses in Israel, according to the cybersecurity company Check Point.Â
The Log4j flaw is more serious than other cybersecurity flaws because of its âubiquity, simplicity and complexity,â according to Easterly.
âIt is a piece of software, open source, thatâs in millions of devices from video games to hospital equipment to industrial control systems to cloud services,â the cybersecurity official said.
âIt is trivial to exploit,â she added. âAnd it takes a very focused effort to be able to find and to fix the vulnerability.âÂ
While thereâs little that individual internet users can do to protect themselves, government agencies and tech companies alike are scrambling to fix the vulnerability.Â
The Cybersecurity and Infrastructure Security Agency published an emergency directive on Friday urging all government agencies to immediately âpatchâ computer systems to address the Log4j flaw.Â
Google, meanwhile, has more than 500 engineers combing through the companyâs code to make sure itâs safe, the Washington Post reported.Â
Asaf Ashkenazi, chief operating officer of security company Verimatrix, told the paper that coders across tech companies have been clocking excessive hours since the Log4j issue was first made public on Dec. 9.Â
âSome of the people didnât see sleep for a long time, or they sleep like three hours, four hours and wake back up,â Ashkenazi told the Washington Post. âWe were working around-the-clock. Itâs a nightmare since it was out. Itâs still a nightmare.â
Even the Microsoft-owned online video game Minecraft has been affected. Some hackers were apparently able to breach victims by typing a single line of code into the gameâs chat box, according to Wired. Microsoft says it has since fixed the issue and is urging players to update their Minecraft software.
On Monday, Belgiumâs defense ministry was forced to shut down parts of its computer network after hackers triggered the Log4j vulnerability, the Wall Street Journal reported. The ministry did not provide details on the breach.Â
Gloss