Good Sam Community

What is Log4j?

By now you may have heard about an obscure sounding 'Apache Log4j' vulnerability, now considered to be among the worst in cyber history, affecting millions across the world. Log4j is a free JAVA logging utility used in popular web servers and applications. JAVA is not related to JavaScript which is entirely different. If your applications is not utilizing JAVA, you are not vulnerable. One problem is that it may be difficult to determine if your application is using a component that’s integrated with Log4j utility.

Make it tougher for cyber-criminals and hackers

If there are any personal takeaways, among the top is to keep all your OS, browsers, and software updated as soon as application releases are provided. Though there may not be an effective instant solution to protect against 0-day exploits by their very nature, the lesson is not to delay when security updates become available. And don’t use unsupported or outdated software no longer providing security patches, while connected to the Internet.

Exploiting software vulnerabilities are becoming the foremost methods used by cyber criminals and hackers. Security software is no longer a primary line of defense, just one cog in layered protection. In many cases, if a hacker can breach your system using a vulnerability allowing elevated privileges, they can disable/bypass your security software.

Case in point, virtually all infected with WannaCry ransomware, encrypting personnel data until payment was transferred to cyber-criminals, were carried out on Windows 7 machines that had not installed updated security patches at the time.


Why should I even be concerned about Log4j?

Though Log4j flaw effects primarily enterprise software, your personnel stored data could be compromised as the full scale of this vulnerability has not yet been determined and may take years to resolve.

But there is another question that has yet to be answered? The vulnerability of ‘smart devices’ and other IoT. Such as smart TVs, security doorbells/cameras, appliances, printers, etc. Many have a built-in web server or OS to communicate data to manufactures/users and could be utilizing Log4j utility as its free.

Most of these devices are connected to our home networks, and conceivable that this flaw could allow hackers an endpoint to compromise access to data from attached computers/devices, if not worse. Simply by utilizing a text-based string in an email, chat, message, or embedded in an online advertisement to exploit this flaw?

I’ve rarely seen or been informed of security updates for smart devices. Wonder if none are forthcoming, how many would take the risk to keep known vulnerable devices connected on our home networks?

It’s not yet known of the full ramifications from Log4j flaw.


Hacker attempts getting worse

Apache released a security patch for Log4j flaw about 4-days before it was widely published by news outlets. Reports of it being first detected on Minecraft site were apparently not accurate as it had been seen earlier. Apache has since released more patches and program updates as hackers scanning to exploit the flaw has skyrocketed in recent days, reaching thousands per minute. Hackers have also apparently modified their approaches to get around recent security updates.

The biggest challenge now is determining the full extent of the vulnerability as we don’t know how many apps are affected. In recent webinars this week, top security experts are advising daily application scanning and port restrictions, and to not trust your apps are not affected – zero trust approach.

You can’t protect against every security threat these days, though keeping updated with security patches is becoming the frontline defense.