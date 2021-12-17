Log4Shell has been making headlines around the world for days. It is the name of the security flaw that has put a large part of the internet in check and, although a couple of patches have already come out to try to mitigate it, its consequences are still unknown. One of the keys to the matter is not so much in what has happened, but in its origin: an open source library (Log4J) developed by a volunteer. Its use was very widespread because it was useful and simple and, as it was so well known, it was assumed that it had been revised by other users. The reality has proven to be the opposite.

Ralph Goers is the name of this volunteer programmer on GitHub, the repository where he shared his creation. In your profile on the platform, you present yourself as a member of the Apache Software Foundation and full-time ‘software’ architect and spends his free time on Log4J and other free software projects.

“I have always dreamed of working in open source full time and I would love for you to support me in doing so,” he says in his biography. Last week, when the ruling was known to all, he had only three patrons on GitHub. At the end of this article, he has already exceeded one hundred people who support him financially with contributions of between five and 50 dollars a month.

“Suddenly, it seems that the world is falling apart because of a little piece of code programmed by a man in United States. Everyone uses it, but no one had properly audited it “, summarizes Teknautas Sergio de los Santos, Head of Innovation and Laboratory at ElevenPaths. This specialist points to what he calls ‘the myth of a thousand eyes’ in the world of free ‘software’. That is, popularity does not have to equal review guarantees. “It facilitates it, but it does not ensure it.”

All of this also has an undercurrent. “The Internet cannot depend on the work of a volunteer,” emphasizes De los Santos, who is quick to exonerate Goers “because he did the best he could.” In fact, it is committed to a greater recognition of the work of programmers who share their codes in a disinterested way. “If not, a very precarious environment is generated, where many millions are invested in an application, but a small and fundamental part is not audited“, warns.

What did the ruling consist of?

The breach was detected on December 1, but it was not made known to the general public until the 9th. Some companies They have encrypted the number of attacks produced in this time at more than a million, but others are more cautious and prefer not to venture to give figures, since it depends on the method with which it is calculated and, also, that many of these alleged attacks are actually tests carried out by researchers or companies.

The origin of the problem is in the Log4J library, which has a function as basic as performing automatic registrations of any web or application programmed with Java language. For example, the exact time and date that a certain IP has consulted a page. The detected gap allows for certain modifications to be made to this code. Once applied, they allow remote control of the servers that use that library. “When making the ‘log’, which means saving the file, Log4j interprets it in an incorrect way and allows suddenly launching commands with a remote server”, De los Santos details.

Besides being useful (and free), it is easy to implement, which is why Log4J is used by millions of companies. “It’s something that makes life a lot easier in programming,” says the ElevenPaths specialist. That worked against when the bug was found, which has become ubiquitous, although experts warn that it is too early to know the depth of these errors. For now, both Apache and national cybersecurity centers around the world have rated it as the highest risk, including the Spanish Incibe and the National Cryptographic Center (CCN).

Another key point is that this security hole may be exploited for years. “If at this time massive attacks had been carried out, it would have been detected earlier, but criminals are usually very selective to make it happen. a bullet that they can use for a long time without burning the cartridge”, Explains to this newspaper Josep Albors, head of Research at ESET in Spain, who defines it as” a master key for them to do whatever they want. ”

And what do those who take advantage of the failure? Well, a bit of everything. One of the main activities detected has been the remote cryptocurrency mining, but also the creation of networks of ‘bots’, something that can be used for activities as diverse as priming the traffic of a website or carrying out denial attacks.

Other practices detected have been data hijacking – known as ‘ransomware’ – or the installation of malicious programs to damage certain systems. “They seek above all economic benefit”, specifies Albors. In addition, although Log4Shell affects companies and organizations in a more direct way, it can also end up splashing end users, who can steal their personal data that is hosted on the attacked server.

There is a patch, but this goes for a long time

A few days ago, Jen Easterly, director of the US Cybersecurity Agency (CISA), stated that what happened with Log4Shell was “one of the most serious failures” he had seen in his career, “but the most”. Experts consider that it is risky to make a statement of that caliber, but they put it in context, since it surely has more to do with alerting to be taken seriously and the thing does not go to major.

In fact, already there is a solution that Ralph Goers himself has developed, which last Friday released a second patch – it had released a more basic one earlier in the week – to update Log4J. “He has cut his losses, because it completely disables the possibility of sending that chain of code that takes advantage of the vulnerability”, celebrates Albors, who, like the rest of the specialists, points out something fundamental: the key is to update to be effective.

“If you do not indicate that it is a real risk, companies leave it for later and forget,” says Albors, who remembers what happened with WannaCry, where “there was a patch that was three months old, but many companies had not updated it.” In fact, there have also been other large breaches of a similar nature, such as ShellShock and OpenSSL, which took place in 2014. “They all rocked the internet just like Log4Shell because they are very serious flaws in ubiquitous ‘software’“adds De los Santos.

Of course, it is never clear that this patch is going to be the definitive one, since fractures can continue to appear elsewhere, as has happened previously. “Is a race against time. Attackers are always investigating to attack “, says the ElevenPaths expert, who underlines that” every day new vulnerabilities are discovered and, even if this is more serious, many others are exploited en masse and they have not yet been solved ”. In other words, risk cannot be eliminated, but everything possible to minimize it can be done.

During the last week, the most important companies have already carried out the updates, something that implies a higher level of protection. “Large systems will be protected, but that does not mean that there will be a leak in smaller ‘softwares’ or half-abandoned websites, so it will be a weapon for many years”Says De los Santos, who considers that the key to preventing Log4Shell from getting worse is, in part, in the noise it has generated:” The light and stenographers kill dangerousness because they scare off criminals. The bad thing is when only a few know it. ”