What is Log4Shell and why experts risk "the IT apocalypse"

The National Cybersecurity Agency speaks of "a vast and diversified attack surface over the entire network", defining the situation as "particularly serious". In other words, the Internet is in danger, its security is compromised. Here because by Arcangelo Ròciola updated at 19:36 12 December 2021

AGI - It is as if billions of house doors were suddenly open, without any protection. As if anyone with malicious intent could enter and take possession of it. It is still difficult to establish the true extent of the vulnerability discovered on computer systems that use the Java language, but that it is something serious is a unanimous opinion among experts. The National Cybersecurity Agency speaks of "a vast and diversified attack surface over the entire network", defining the situation as "particularly serious". In other words, the internet is in danger. His safety is compromised. All the software and applications written in Java, the most widely used programming language in the world, suddenly find themselves on their side: billions of programs and applications, from servers to smartphones. And the consequences could be even worse if in the next few days no solutions to Log4Shell are identified, as the vulnerability has been called, with the risk of compromising the security not only of servers and companies, but also of smartphones, computers, in short. , all devices in circulation. So much so as to lead some experts to talk about the "computer apocalypse". What happened: "The researchers discovered a vulnerability in Log4j, a library used by the vast majority of software programmers with Java language that allows you to write into the software what are called 'logs', that is the 'status' of the software itself that allow to photograph a moment in the development of the software itself, recording progress, performance, problems and solutions ”, explains to Agi Marco Ramilli, CEO of Yoroi. The vulnerability is in the tags of these logs, which a bit like blog tags or those on Twitter allow you to identify the type of log that has been written previously. “It turned out that one of these tags allows you to execute a command, launch a program,” continues Ramilli. Any type of command or program. He manages to say to the machine: 'Do this'. An attacker can then through this tag make the machine do what he wants. He can run code on the machine. But to do what? "Everything. At this moment, what we see is that the attackers use this vulnerability to mine cryptocurrencies ", that is, the operation that allows you to create bitcoins, a particularly complex activity that requires computing capacity and energy. "But they could do anything: enter a company's servers, see what's inside, steal trade secrets or decide to launch ransomware attacks to monetize their systems control," says Ramilli, who admits to having seen such an attack "about five, eight times in the last 20 years". In detail, what is Log4j? “If you use Java, you probably use Log4j”, Matteo Flora, IT security expert and CEO of TheFool, explains to Agi. “It's the de facto standard for anyone who uses Java” for programming. “It's everywhere, from Tesla, to Twitter, to Facebook, to numerical control systems to iPhones. What has emerged is an unresolved vulnerability ". What happens then? "In the worst case, it is a bit of a computer apocalypse: if this vulnerability is not resolved, it gives the possibility to launch commands. And we are already seeing cryptominers and abusive logins around. The problem is, a lot of this stuff is embedded, so there are no fast update systems. Plus it's everywhere ". Ramilli instead uses a metaphor: "Logging like that of Log4j is a bit like the text of an actor followed on stage: it is used to follow a track, or to go back to a specific point if you want to work on an error". A track to follow, and execute. In one of his passages, however, there is the possibility of completely changing the plot of the text, and of writing one's own. To your liking. Java is on around 3 billion devices. And Log4j, developed by Apache, is used by almost all programmers. To give an idea of its use and its reliability, just think that even Ingenuity, the NASA helicopter that landed on the ground of Mars last February, has software that uses Log4j, as Apache itself announced on its Twitter profile. . But you don't need to go to Mars to understand the enormous use of this programming language. In these hours hundreds, perhaps thousands of hackers across the world are trying to detect this vulnerability in software and servers in order to take possession of it and launch attacks. The biggest risk at the moment is run by companies and organizations, more or less large. Situation made even worse by the fact that it is often difficult to understand if Log4j was used in the development of their software, by whom, and when. On the grill, however, there are not only companies and institutions. Because the problem could soon concern the individual user, a smartphone owner, or a smartwatch owner. "If attackers attack a company, the user who is logged into that system", be it Twitter, Minecraft or Ecommerce company, to name some of the platforms that have currently identified the vulnerability, "you could see your personal data, or those of your credit cards ”, explains Ramilli. While even more serious is the possibility that could occur in the next few days if quick solutions are not found: “Malicious hackers could spread corrupted links and open through this vulnerability backdoors on people's devices, phones, tablets, any object connected to the network. And once a backdoor is opened, he can do whatever he wants ". For Ramilli there is time for a few more days. "As early as the middle of next week the situation could be difficult to recover". It is a race against time.