Critical Apache Log4j2 exploit demonstrated in Minecraft.

Views expressed in this cybersecurity-intelligence update are those of the reporters and correspondents.

Accessed on 14 December 2021, 2023 UTC.

Content supplied by email subscription to “PC Magazine Security Watch.”

Source:  https://www.pcmag.com

Please scroll down to read your selections.

 

Trouble viewing this email? View in a browser
 
 
PCMag SecurityWatch
 
Critical Apache Log4j2 Exploit Demonstrated in Minecraft
Last weekend was a bad time to be a server administrator. A critical vulnerability emerged in Apache Log4j2. The big problem? Attackers have the chance to exploit the open-source Java package that all kinds of applications, from Twitter to iCloud, use to execute any code an attacker chooses.

That’s as scary as it sounds.

What the Apache Log4j2 Exploit Means for You and Me

I spoke with cybersecurity researcher John Hammond from Huntress Labs about the exploit and the subsequent scramble to mitigate the damage. Hammond recreated the exploit on a Minecraft server for his YouTube channel, and the results were explosive.

Q: What is this exploit? Can you explain what is happening in layman’s terms?

A: This exploit allows bad actors to gain control of a computer with a single line of text. In layman’s terms, a log file is retrieving a new entry but happens to be reading and actually executing upon data inside the log file. With specifically crafted input, a victim computer would reach out to and connect to a separate malicious device to download and execute any nefarious actions that the adversary has prepared.

Q: How hard was it to replicate this exploit in Minecraft?

A: This vulnerability and exploit is trivial to set up, which makes it a very attractive option for bad actors. I have showcased a video walkthrough demonstrating how this was recreated in Minecraft, and the “attacker’s perspective” takes maybe 10 minutes to set up if they know what they are up to and what they need.

Q: Who is affected by this?

A: Ultimately, everyone is affected by this in some way or another. There is an extremely high chance, almost certain, that every person interacts with some software or technology that has this vulnerability tucked away somewhere. 

We have seen evidence of the vulnerability in things like Amazon, Tesla, Steam, even Twitter and LinkedIn. Unfortunately, we will see the impact of this vulnerability for a very long time, while some legacy software may not be maintained or push updates these days.

Q: What do affected parties need to do to keep their systems safe?

A: Honestly, individuals should stay cognizant of the software and applications they use, and even do a simple Google search for “[that-software-name] log4j” and check if that vendor or provider has shared any advisories for notifications regarding this new threat. 

This vulnerability is shaking up the whole Internet and security landscape. Folks should download the latest security updates from their providers as quickly as they are available and remain vigilant on applications that are still awaiting an update. And of course, security still boils down to the bare-bones basics you can’t forget: run a solid antivirus, use long, complex passwords (a digital password manager is strongly recommended!), and be especially aware of what is presented in front of you on your computer.

Get this from a friend? Get it delivered to your inbox weekly. Sign up for the SecurityWatch newsletter.


Cops + Data Brokers = Legal Loopholes

Criminals in old movies always knew their way around both the right and wrong sides of the law. If a police officer threatened to bust down their door, they’d just smirk and say, “Oh yeah? Come back with a warrant.”

In today’s reality, police don’t need to bother getting a warrant for your data if they can buy the information from a data broker. Now, we aren’t ones to romanticize law-breaking, but we don’t like possible abuses of power, either.

As PCMag’s Rob Pegoraro writes, data brokers provide law enforcement and intelligence agencies ways to get around the Fourth Amendment by allowing the sale of information collected about private citizens. The FBI signed a contract with a data broker for “pre-investigative activities” in one example.

Thanks to convoluted app privacy policies and data broker terms and conditions, the average American citizen probably doesn’t know how their phone’s location data gets into a law enforcement database. Does that bother you? If so, it’s time to take matters into your own hands and stop the data collection at the source. Use the location privacy features Apple and Google offer to keep your location a secret from your apps. iOS lets users keep any app from knowing their location, and Google’s Android 12 adds similar controls.

Stay safe,

Kim Key
PCMag Security Analyst

What Else is Happening in the Security World This Week?

 
 
TECH DEAL OF THE DAY
 
If you buy something from our links, we may get a commission from the sale. Learn more here.
 
 
 
Norton AntiVirus Plus Annual Subscription (1 PC/Mac)
 
$59.99 $14.99  
GET DEAL

 
TODAY’S TOP NEWS
 
   
Researchers Share New Attacks on Wi-Fi and Bluetooth Chips

Apple Releases App to Help Android Users Detect Rogue AirTags

How to Figure Out If Your Phone Has Malware

Why You Need a Password Manager, and How to Choose the Right One

11 Essential Apps for Ironclad Online Privacy

 
   
TOP TECH DEALS
Want more deals like these delivered to your inbox?
GET OUR BEST DEALS TODAY
 
 
 
Amazon Device Deals $25 Fire TV 4K Stick, $60 Echo Show 8, $155 Echo Frames (2nd Gen) & More
 
 
GET DEAL

 
Canon PIXMA TS3522 Wireless AIO Printer w/ 50 Sheets of 4×6 Glossy Photo Paper
 
$49.00 $39.00  
GET DEAL

 
HP Pavilion 15 AMD Ryzen 7 5700U Eight-core 15.6″ 1080p Laptop w/ 512GB SSD
 
$749.00 $599.00  
GET DEAL

 
Winix 5300-2 Air Purifier w/ True HEPA, PlasmaWave & Odor Reducing Carbon Filter
 
$199.99 $123.70  
GET DEAL

 
500GB Crucial P2 M.2 PCIe NVMe Internal SSD (Up to 2400MB/s transfer speeds)
 
$59.99 $44.99  
GET DEAL

   
                                       
All product and deal information such as discount, price and availability are believed to be accurate as of the time of publication. Please verify these details with the merchant site and check the merchant’s terms and conditions before you buy. Publisher is not responsible for errors or omissions.
SHARE & FOLLOW US
      

 

 

For the latest cybersecurity news and information, please check the blog sidebar, links, and twitter posts.

Russ Roberts

https://cyber-security-intelligence.org