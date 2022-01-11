Officials have called the bug among the most serious in history because it affects nearly 3,000 commercial tech products and can be exploited relatively easily. But, since the bug was discovered about a month ago, most known log4j hacks have been pretty minor, such as hackers stealing victims’ computing power to mine cryptocurrency.
There are several possible explanations for the comparative dearth of big log4j hacks.
There's probably some truth to all of these.
- Cyber defenders got ahead of the threat and protected the most vulnerable targets faster than talented adversaries were able to hack them.
- Or, those high-powered hackers are waiting until defenders turn their focus away to commit their most dastardly attacks.
- Most troubling, it could simply mean the worst log4j hacks just haven’t become public yet — either because the victims haven’t alerted government and law enforcement or because they don’t know they’ve been hacked.
That last possibility is a powerful reminder how little visibility government and researchers still have into the full scope of most cyber threats.
“I suspect, given the nature of these attackers and what we’ve seen in the past, there must be some big breaches out there from log4j that we just haven’t detected yet,” Tony Cole, chief technology officer at the cybersecurity firm Attivo Networks, told me. “They’ll pop up, and the next month will tell.”
The Cybersecurity and Infrastructure Security Agency (CISA) hasn’t yet seen any “significant intrusions” that used log4j, Director Jen Easterly told reporters yesterday.
The agency also hasn’t seen any evidence the bug was used to hack federal agencies or used in any ransomware attacks. Easterly cautioned, however, that there could be a lot of activity CISA doesn’t know about — especially ransomware attacks, which often go unreported.
“I hope it’s the speed and the scale of this response that is going to minimize any significant impacts to our partners in critical infrastructure. But we are always going to maintain the highest vigilance,” she said.
Hackers will likely be using the log4j bug to compromise their victims “well into the future,” Easterly warned.
The government's visibility into such hacks could have been expanded by a bipartisan measure that would have required critical infrastructure companies to alert CISA when they're hacked. The measure narrowly failed to become law last year amid Senate bickering. The top Democrat and Republican on the chamber's Homeland Security Committee have said they'll push again for it this year.
“We are concerned that threat actors are going to start taking advantage of this vulnerability and having impacts, in particular on critical infrastructure, and because there is no legislation in place, we will likely not know about it," Easterly said.
Here’s further analysis from Gregory Bednarski, cybersecurity policy and strategy chief at the National Security Agency:
CISA has been leading the government response to the bug.
That has included mandating government agencies protect against it and holding regular videoconferencing meetings with top cybersecurity companies and firms in critical sectors such as energy, transportation and financial services.
The Federal Trade Commission also jumped into the fray last week, warning that it could impose hefty fines on companies that leave themselves vulnerable to log4j attacks.
The bug is also highlighting some long-standing problems with “open-source” software, such as log4j.
Such software is built and maintained by volunteers but then inserted into a wide variety of products.
Open-source software has been a huge boon to the tech industry because it dramatically reduces the amount of original code that product developers have to write. But it creates dangers, too.
Log4j is used so commonly that many organizations don’t even know that some of their computer systems are relying on it and so could remain vulnerable to hackers for months or years.
“This is three levels deep in some products, and organizations don’t know the product is using it,” Adam Meyers, senior vice president for intelligence at the cybersecurity firm CrowdStrike, told me.
CISA is looking at long-term fixes for that problem.
They include:
- Creating systems called “software bills of materials” for companies to tally all the software that’s in their products like the ingredients lists on food products
- Requiring more stringent software security checks for government agencies that can be copied by the private sector
- Improving the ability of tech product companies to respond to new bugs
- Developing new tools driven by artificial intelligence and machine learning that analyze open-source software for hacking vulnerabilities
The keys
A Wisconsin judge approved new subpoenas in a partisan election review
The subpoenas target election officials and politicians and could help reignite former Wisconsin Supreme Court Justice Michael Gableman’s GOP-backed review of the state’s 2020 election results, the Milwaukee Journal Sentinel’s Patrick Marley reports.
The subpoenas targeted the bipartisan Wisconsin Elections Commission and its director, Meagan Wolfe, among others.
Dane County Circuit Judge Rhonda Lanford's ruling left room for Wisconsin Attorney General Josh Kaul (D) "to continue to fight the subpoenas and try to prevent the interviews from occurring in secret,” Marley writes. Kaul represents the election commission and Wolfe in the case.
The probe has been beset by blunders for months. Some of Gableman’s subpoenas had blatant errors. His team also used an insecure email account to tell county clerks how to preserve evidence, leading some to mark the messages as “junk.”
Wisconsin Assembly Speaker Robin Vos (R) is negotiating a potential extension of Gableman’s contract. He said he wants the probe to conclude by February so he can use it as evidence for new election legislation.
A European privacy regulator ordered police to delete a massive trove of data
The European Data Protection Supervisor ordered Europol to delete much of its policing database, which has at least four petabytes-worth of data, the Guardian’s Apostolis Fotiadis, Ludek Stavinoha, Giacomo Zandonini and Daniel Howden report. Four petabytes is a gargantuan amount of data, equivalent to around “a fifth of the entire contents of the US Library of Congress,” they write.
It includes data that was taken “from crime reports, hacked from encrypted phone services and sampled from asylum seekers never involved in any crime,” they add.
“Among the quadrillions of bytes held are sensitive data on at least a quarter of a million current or former terror and serious crime suspects and a multitude of other people with whom they came into contact,” they write. “It has been accumulated from national police authorities over the last six years, in a series of data dumps from an unknown number of criminal investigations.”
The privacy watchdog told Europol to delete data that is more than six months old. Europol denied wrongdoing and hinted that the regulator may be interpreting rules impractically, the Guardian reports.
Federal agencies are on a spending spree for facial recognition tech
The U.S. government has signed more than 20 contracts for facial recognition services worth up to $7 million or more, CyberScoop’s Tonya Riley reports.
The contracts are racking up despite concern that facial recognition technology is invasive, poorly regulated and can falsely identify people of color. “The contracts demonstrate that despite a growing chorus of concerns from lawmakers, regulators and civil liberties advocates about the dangers of facial recognition technology, federal law enforcement agencies have no interest in rolling back their use of the technologies,” Tonya writes. “Instead, they’re plowing ahead with private partnerships with companies whose databases of photos of private citizens eclipse government databases in scale.”
Sen. Ron Wyden (D-Ore.) blasted a December contract between the FBI and Clearview AI. The firm built its database by scraping images from social media platforms. “Clearview AI harvested millions of Americans’ personal photographs without their permission to build a massive facial recognition database,” Wyden told CyberScoop. “It is deeply disappointing that the government would choose to reward this practice with taxpayer dollars, and use its credit card to end-run Americans’ Fourth Amendment rights.”
Wyden has introduced legislation that would ban the government from buying access to data — like Clearview AI databases — without a warrant.
Daybook
- Damian Collins, who chairs the U.K. Parliament’s Joint Committee on the Draft Online Safety Bill, discusses disinformation at a Washington Post Live event with former Rep. Will Hurd, a Republican who represented Texas, today at 11 a.m.
- The Senate Intelligence Committee holds a hearing on President Biden’s nomination of Kenneth Wainstein to be the Department of Homeland Security’s Undersecretary for Intelligence and Analysis on Wednesday at 2 p.m.
- Rep. Yvette D. Clarke (D-N.Y.), Rep. John Katko (R-N.Y.), the Department of Homeland Security’s Undersecretary for Policy Robert Silvers, and FBI Assistant Director Bryan Vorndran discuss 2022’s cybersecurity priorities at a Silverado Policy Accelerator event on Thursday at 9 a.m.
- Silverado Policy Accelerator chairman and co-founder Dmitri Alperovitch, U.S. Secret Service Assistant Director Jeremy Sheridan and FBI Deputy Assistant Director Tonya Ugoretz discuss cybersecurity threats at a Washington Post Live event on Thursday at 11 a.m.
