Comment: The log4j bug is " the most serious vulnerability I have seen in my decades-long career” [Easterly]. This adds to the list of existing software vulnerabilities in voting machines that threaten our votes. An earlier story from cybersecurity firm Bishop Fox told about a serious vulnerability in BMDs (ballot marking devices that count votes) similar to those in the pipeline for New York State. Stop these vulnerable voting machines from being certified for New York by contacting your state legislators to pass S309, A1115 The Secure Voting Machines Act ("Ban the Hybrids”). Allegra Dengler
WAPO: "The ‘most serious’ security breach ever is unfolding right now. On Dec. 9, word of a newly discovered computer bug in a hugely popular piece of computer code started rippling around the cybersecurity community. By the next day, nearly every major software company was in crisis mode, trying to figure out how their products were affected and how they could patch the hole.
Blog: "Bishop Fox Fights for Election Security Georgia.. security findings and analysis of Dominion Ballot-marking devices (BMDs)....the security feature Dominion is using (checksum), provides only what is considered in the cybersecurity community “security theater,” said Liu, “not meaningful, verifiable integrity validation.”
…………………………………………………………………………….
https://www.washingtonpost.com/technology/2021/12/20/log4j-hack-vulnerability-java/
The ‘most serious’ security breach ever is unfolding right now. Here’s what you need to know.
Much of the Internet, from Amazon’s cloud to connected TVs, is riddled with the log4j vulnerability, and has been for years
(Chris Ratcliffe/Bloomberg News)
By Tatum Hunter and Gerrit De Vynck
December 20, 2021 at 10:13 a.m. EST | Updated at 5:28 p.m. EST
On Dec. 9, word of a newly discovered computer bug in a hugely popular piece of computer code started rippling around the cybersecurity community. By the next day, nearly every major software company was in crisis mode, trying to figure out how their products were affected and how they could patch the hole.
The descriptions used by security experts to describe the new vulnerability in an extremely common section of code called log4j border on the apocalyptic.
“The log4j vulnerability is the most serious vulnerability I have seen in my decades-long career,” Jen Easterly, U.S. Cybersecurity and Infrastructure Security Agency director, said in a Thursday interview on CNBC.
So why is this obscure piece of software causing so much panic, and should regular computer users be worried?
Log4j is a chunk of code that helps software applications keep track of their past activities. Instead of reinventing a “logging” — or record-keeping — component each time developers build new software, they often use existing code like log4j instead. It’s free on the Internet and very widely used, appearing in a “big chunk” of Internet services, according to Asaf Ashkenazi, chief operating officer of security company Verimatrix.
Each time log4j is asked to log something new, it tries to make sense of that new entry and add it to the record. A few weeks ago, the cybersecurity community realized that by simply asking the program to log a line of malicious code, it would execute that code in the process, effectively letting bad actors grab control of servers that are running log4j.
Reports differ when it comes to who first raised the alarm about the vulnerability. Some people say it surfaced in a forum dedicated to the video game Minecraft. Others point to a security researcher at Chinese tech company Alibaba. But experts say it’s the biggest software vulnerability of all time in terms of the number of services, sites and devices exposed.
Software bugs crop up all the time. Why is this one different?
The fact that log4j is such a ubiquitous piece of software is what makes this such a big deal. Imagine if a common type of lock used by millions of people to keep their doors shut was suddenly discovered to be ineffective. Switching a single lock for a new one is easy, but finding all the millions of buildings that have that defective lock would take time and an immense amount of work.
Log4j is part of the Java programming language, which is one of the foundational ways software has been written since the mid-90s. Huge swaths of the computer code that modern life runs on uses Java and contains log4j. Cloud storage companies such as Google, Amazon and Microsoft, which provide the digital backbone for millions of other apps, are affected. So are giant software sellers whose programs are used by millions, such as IBM, Oracle and Salesforce. Devices that connect to the Internet such as TVs and security cameras are at risk as well. Hackers who try to break into digital spaces to steal information or plant malicious software suddenly have a massive new opportunity to try to get into nearly anywhere they want. That doesn’t mean everything will be hacked, but it just got a lot easier to do so — just as if the locks on half of the homes and businesses in a city suddenly stopped working all at once.
On top of all that, the vulnerability is straightforward to take advantage of. In the Minecraft video game, it’s as easy as typing a line of malicious code into the public chat box during a game. On Twitter, some people changed their display names to strings of bad code, Wired reported.
The vulnerability also gives hackers access to the heart of whatever system they’re trying to get into, cutting past all the typical defenses software companies throw up to block attacks. Overall, it’s a cybersecurity expert’s nightmare.
So how is the tech industry responding?
Computer programmers and security experts have been working night and day since the vulnerability was publicized to fix it in whatever piece of software they’re responsible for. At Google alone, more than 500 engineers had been going through reams and reams of code to make sure it was safe, according to one employee. That process was being repeated at all kinds of tech companies, spawning an entire new genre of memes from coders lamenting the hellish week they’ve been through.
“Some of the people didn’t see sleep for a long time, or they sleep like three hours, four hours and wake back up,” Ashkenazi said. “We were working around-the-clock. It’s a nightmare since it was out. It’s still a nightmare.”
Nearly 50,000 Facebook users may have been targets of private surveillance, company says
Are hackers already taking advantage of it?
Hackers have been working just as hard as the security experts to exploit log4j before the bug gets patched. Cybersecurity software company Check Point said in a blog post that it saw hackers send out 60 different variations of the original exploit in a single 24-hour period. Hackers have already tried to use it to get into nearly half of all corporate networks around the world, Check Point said. Most of the hacking has focused on hijacking computers to run bitcoin mining software, a tactic hackers have used for years to make money, but on Dec. 15, Check Point said Iranian state-backed hackers used the vulnerability to try to break into Israeli government and business targets.
Though the bug was present for years, it’s unlikely criminal hackers have known about it until now, because if they had, security experts would have spotted it being used before, said William Malik, vice president at cybersecurity company Trend Micro. That doesn’t mean that more sophisticated government hackers, such as those working for the United States, Russia, Israel or China, haven’t used it before though, he said.
CISA has given federal civilian agencies a Dec. 24 deadline for patching log4j. But even with engineers working around-the-clock to meet that deadline, hackers will have potentially found their way into hundreds of thousands of services and sites by then, Ashkenazi said. In some cases, hackers will install “back doors” or malicious code that stays put even after the initial log4j problem gets fixed. Identifying and removing those back doors will be a whole separate task for security experts.
The vulnerability also gives ransomware attackers a fresh way to break into computer networks and freeze out their owners. These kinds of attacks have increased over the last two years, with hospitals, local governments and businesses all being targeted and asked to send millions in cryptocurrency to hackers or risk being locked out of their computers indefinitely and having their sensitive information exposed.
The anatomy of a ransomware attack
On Dec. 17, cybersecurity firm AdvIntel said it detected well-known ransomware gang Conti scanning the web for log4j and then launching an attack of its own.
And not everyone will fix the problem in the first place. Getting an entire industry to update a specific piece of software quickly is next to impossible. Many companies won’t end up doing it, or will think they aren’t affected when really they are.
That means log4j could be a problem for years to come.
What can we do?
To take advantage of the vulnerability, hackers have to deliver malicious code to a service running log4j. Phishing emails — those messages that try to trick you into clicking a link or opening an attachment — are one way to do so. Keep an eye out for an influx of phishing messages in the coming days, Malik said, as hackers scramble to plant bad code in as many places as possible.
Cybersecurity funding is at stake in Democrats' spending battles
f you get an email saying that your account has been compromised or your package failed to deliver, don’t open any links or attachments. First, make sure you actually have an account with that company or were expecting mail from that carrier. Then, find a real customer service number or address online and reach out that way.
The best thing regular computer users can do is make sure the apps they use are updated to their most recent versions, Malik said. Developers will be sending out patches over the coming days to fix any log4j issues, and downloading those quickly will be important.
For the most part, consumers should just wait and let the experts fix their software programs.
“Sit back, take a deep breath. It’s not the end of the world,” Malik said. “It’s going to be very busy the next few days for security folks.”
…………………………………………………
BLOG // INDUSTRY // OCT 14, 2020
Bishop Fox Fights for Election Security
By: Bishop Fox
Election security is currently top of mind for the American public, as we struggle to find technology that enables everyone to cast a vote without putting those votes at risk of manipulation by state actors and hacktivists. At Bishop Fox, we know just how critical this is for not only this election, but for future elections and for voting technology manufacturers going forward.
On a broader scale, it’s important that security researchers band together to help analyze and responsibly disclose security issues with manufacturers to protect the interests of the public – transparently disclosing those findings and helping to create solutions to fix vulnerabilities.
Recently, our CEO Vincent (we call him “Vinnie”) Liu was asked to stand as a technical expert in a case involving the State of Georgia and digital voting machine security (Curling v. Raffensperger). As a witness, Liu and Bishop Fox Labs tested and validated the security findings and analysis of Dominion Ballot-marking devices (BMDs) that will be used as the primary voting mechanism for the State of Georgia (as well as for Pennsylvania, California, and several other states) for the upcoming presidential election.
Despite the security concerns, a federal judge “rejected a last-minute attempt to replace the $104 million system with paper ballots until its problems could be sorted out,” according to the New York Times.
However, given that the security findings presented in the case have a potentially significant impact on future elections and in the interest of transparency, we wanted to share Vinnie’s commentary on the information presented by security researchers and analysts in this case:
“Malicious software implants on BMDs. It is asserted […] that a BMD has an icon that can be pressed at any time during a vote to display a SHA-256 hash-based checksum of the BMD’s software. The checksum can be visually inspected by election officials to ensure that it matches a known-good expected value…. This checksum is intended to present evidence that the BMD is running software that has not been modified by malware.
The most obvious flaw with this approach to security is that it ignores that malware can circumvent this check. This approach relies on the equipment to perform integrity checks of itself, which is unreliable and counter to well-accepted cybersecurity principles and practices. A BMD infected with malware could easily report the “correct” SHA-256 checksum and there would be no means to verify whether or not the checksum was valid or a malware deception.
In short, the security feature Dominion is using (checksum), provides only what is considered in the cybersecurity community “security theater,” said Liu, “not meaningful, verifiable integrity validation.”
Vinnie’s statements in the case are available in full to the public and demonstrated Bishop Fox’s dedication to supporting responsibly disclosed security research, working toward the common good, and fully substantiating security claims that could impact the public.
“We believe that every vote counts and the tampering of a single vote can turn the tide of the election,” said Vinnie. “We need to come together in the security community to support the work we’re doing to protect people and their data. Security risks can and do impact every area of our lives and it’s our responsibility to do whatever we can to work alongside manufacturers, technology companies, and government organizations to guard our people against attackers.”