IT professionals are alarmed about the Log4j security gap, and the first attacks are already underway. What are the consequences for users? How can something like this be prevented? Answers to the most important questions.
A small piece of software by Log4j has become a possible gateway into computer systems worldwide for criminal hackers: On Friday, a trivial but serious security hole was discovered in Log4j, and since then, attackers and defenders have been in a race.
The list of those who use Log4j and are therefore potential targets is long and includes companies such as Apple, Google, Tesla and Amazon, but also several authorities. “The Internet is on fire right now,” summarized Adam Meyers from the IT security company CrowdStrike.
The most important questions and answers at a glance:
What Is Log4j Anyway?
The open-source tool, mainly maintained by two volunteers, is used for logging what happens within a Java application. Put: IT departments use Log4j to monitor what is happening on their servers in various programs based on Java technology, for example, to identify errors. Version 1.0 was published almost 21 years ago; since then, Log4j has become a de facto standard for this observation, known as “logging”.
What Is The Now Discovered Vulnerability?
Certain strings of characters are, so to speak, waved through by Log4j. They can contain commands that are then executed on the server. This enables the attacker to take over the server remotely. In extreme cases, it was enough to enter the character string into a chat window in the game “Minecraft” to hack into the respective server.
The whole thing is so simple that the Federal Office for Information Security (BSI) has declared the warning level red for an »extremely critical IT security situation« because »this critical weak point may therefore have an impact on all Java- Applications that use Log4j to log parts of user inquiries «. The vulnerability itself is called Log4 Shell.
What Can Users Do, And What Do They Have To Fear?
The short answer: little and much. The longer one: The US cybersecurity agency CISA warns that end-user devices such as routers could also be vulnerable. Details were not given, so it is initially unclear whether there will be updates for these devices and, if so, whether consumers can and should import them themselves. Most of the work with Log4j Shell is done by IT departments in companies and government agencies.
But the effects of successful server compromises or even just the necessary preventive measures could be felt by many people. Be it because an authority temporarily switches off certain online services or because someone hijacks a company server and accesses the data stored there, distributes malware from there or works deeper into the network of the affected facility to paralyze it at some point with ransomware. There are already first examples of effects on people’s everyday lives. The telematics infrastructure had to be taken off the network “to protect patient data”. Therefore, patients and practices could currently have problems with their health insurance cards.
What Has To Happen In The IT Departments Of Companies And Authorities?
The BSI urgently recommends, among other things, an inventory of which systems Log4j uses, the shutdown of vulnerable systems that are not necessary, an update of Log4j to the current version 2.15.0 or the change of certain settings where an update is not easily possible. And just in case, “the logging of all incoming and outgoing connections to be able to identify any compromise more easily afterwards.”
Which Attacks Are Already Taking Place?
So far, the BSI has been aware of reports ”about global mass scans and attempted compromises. There are already first reports of successful compromises (so far with the crypto miner, among others). «Translated: Attackers automatically search the Internet extensively for servers and applications that use Log4j and that are vulnerable. The first attacks recognized consisted of the fact that a program was installed on a server that uses the server’s computing power to mine cryptocurrencies. F-Secure has now also observed ransomware attacks via Log4j Shell.
According to Rudiger Trost from F-Secure, more sophisticated perpetrators will not strike directly but will only use the vulnerability to prepare for the actual attack. You could try to settle in on a server unnoticed, work your way up from there, and take control of larger parts of a network.
Because professional perpetrators can observe their targets for months from such a position, the actual damage caused by Log4j will only be apparent much later. “Now as many back doors are being opened as possible,” assumes Trost in a phone call with SPIEGEL. He also expects someone to develop a worm that will spread through the hole, for example, to set up a botnet. F-Secure, says, has to come out for incident response, so certain customers have already been attacked and can no longer cope with it on their own.
Was This The First Time Something Like This Happened?
No, in 2014, some precedent came to be known as the Heartbleed. There, too, was a vulnerability only discovered after 27 months in the widespread open-source software component OpenSSL for securing Internet connections, which affected millions of web servers. the error was not noticed during acceptance – so he was in the world after the next update of OpenSSL.
What Is The Fundamental Problem?
First of all: Open source software is not a problem in itself; on the contrary. If the source code is exposed, experts can review it and report errors. This is more difficult with proprietary software, the code of which is not easily visible. But open-source projects are often taken on by volunteers and sometimes only maintained in their free time. In the best case, the volunteers get donations now and then, but these rarely correspond to the demands on their work and the effort. Human errors, like in the case of Log4j or OpenSSL, therefore, tend to slip through. There is a lack of professional structures in companies in which, among other things, security checks are carried out regularly and according to certain specifications because there are specially designated staff.
How Can It Be Solved?
“Open source software is the basis of the Internet and thus of the entire economy,” writes Google engineer Filippo Valsorda in a blog post on the Log4j case. But the maintenance of the many open-source projects has never been so professional that it could meet the demands of business and all other organizations that rely on it. In an “xkcd” comic strip famous in these circles, it is said that the entire digital infrastructure depends on “someone in Nebraska who has kept a project alive since 2003 without anyone thanking him.”
Filippo Valsorda, therefore, suggests that companies should sign contracts with the open-source developers whose work they depend on so that they can bill for their work.
An alternative would be government support.
At the EU level, it was already in 2015, at the suggestion of the then MEP Julia Reda and a Swedish colleague. The Fossa project created a bug bounty program under which the EU Commission paid security researchers to iron out weaknesses in the open-source software that the Commission itself uses. The project is 2020 expired, a similarly supported project called Fosseps was presented a few days ago.
Reda has meanwhile done a feasibility study with the Open Knowledge Foundation for the Federal Ministry of Economics, which deals with the targeted funding of open source projects by a “Sovereign Tech Fund”. The key question, Reda told SPIEGEL, was: “What should a public funding instrument look like to support these basic technologies that are used everywhere?” let work on open-source software.
Alternatively, individuals or small teams should be able to apply for funding on a “low-threshold” basis. The third pillar is practical support for developers, for example, by holding workshops on individual aspects of software development.
Note: In an earlier version of this article, it was stated that most end-users could not do anything because Log4j does not run on their smartphones and computers. The passage has been revised.