Episode 8: Log4j Vulnerability

Log4j (or Log4shell) Vulnerability

On December 9, 2021 reports of a vulnerability in Apache Log4j hit the scene. Sending the cyber security professionals scrambling. Within 24 hours there over 200,000 attack attempts detected and then over 800,000 attacks detected within 72 hours. It has been two months since the first report and attack attempts have been in the multiple millions.

CheckPoint cybersecurity firm said “It is clearly one of the most serious vulnerabilities on the internet in recent years, and the potential for damage is incalculable.”

What is Log4j? How does affect the end-user?

Apache Log4j is part of almost every Java based web service or product out there. Basically anything that you can see on or access via the internet – a website, smart camera, smart lightbulb, smart appliance, etc. – uses Apache, and most likely uses the Log4j package.

What can you as an end-user do about Log4j? The real answer is not a lot. The Apache software is used in the infrastructure and programming that forms part of the backbone of the internet, and the average end-user doesn’t have access at that level. It is up to the website hosting providers and the distributors of smart devices to apply the corrective patches.

At this writing if a service hasn’t been actively patching their Apache software, they have more than likely been compromised.

What can you do as an end-user?

While you can’t do a lot to fix the problem there are steps you can take to protect yourself.

Because of the wide spread nature of this vulnerability, chances are at least one website where you have a login has been compromised. That compromise may have resulted in some of your data being exposed. The following steps can help to limit the damage you may experience.

  • Change your passwords on websites, particularly websites and online services that store important information about you – financial institutions, medical providers, shopping websites where you have stored payment and other Personally Identifiable Information (PII).
  • Visit the news or support of the previously mentioned websites and see if they report any Log4j issues and if they are secure. If you can’t find that information, email and ask. You may have to spend some time clicking links to find this information, but be diligent.
  • Make sure you use unique passwords for each site. If you use the same email and password for your favorite restaurant rewards card and your financial institutions, hackers only have to breech the restaurant’s network to then get into your financial institution.
  • Use a password manager so you can use very complex passwords without having to remember them.
  • Update the firmware on all of your smart products and web connected devices. Go to the support websites of the manufacturers of your devices and search for how to update the firmware. (Firmware is a type of software that is integral for the hardware components of a device to get them to function.)
    • Devices can be smart cameras, Smart appliances, internet routers, Wi-Fi access points, smart lightbulbs, Smart TVs, Apple TVs, Alexa devices, Google Nest devices, Ring doorbells….the list goes on and on. If you can check the status on a website or through and App on your phone, you need to see if you can update it.
    • Larger companies – Amazon, Google and Apple – generally push out updates automatically, but it is still important to check on their websites for the steps to check if you device is up to date.

Being aware of what is going on in the digital world is an important step in your digital self defense. While many times things are out of your control, the goal is to control what you can. While it is annoying to have many different passwords on the multitude of websites, it really is one very important way to be safer in our digital world.

Be safe out there!

Leave a Comment