Hackers have been feasting on the vulnerability found this month in software running on millions of servers around the world, with more than 1.2m attacks on companies globally since last Friday, according to researchers.
Cyber security group Check Point said the attacks, relating to the Log4j open-source software library for logging data in Java-based applications, had accelerated, with its researchers seeing more than 100 attacks a minute at some points, reports Hannah Murphy.
Perpetrators include “Chinese government attackers”, according to Charles Carmakal, chief technology officer of cyber company Mandiant. The flaw in Log4j allows attackers to gain remote control over computers running apps in Java.
Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), told industry executives that the vulnerability was “one of the most serious I’ve seen in my entire career, if not the most serious”, according to US media reports. Hundreds of millions of devices are likely to be affected, she said.
Your views: A number of readers responded to my coverage of Log4j in yesterday’s newsletter., mainly defending the role of open source software in computer networks. I had linked to this article arguing there needed to be a professionalising of the role of maintaining such software, which was often carried out by volunteers in their spare time. Damon Lynch, an open source developer, objected to the headline, suggesting “Poorly supported code opens doors for hackers” was a fairer reflection of what was being said. Daniel Probst emailed: “While I agree that free riding on un(der) paid developers is a problem with many open source projects and can lead to security problems, IMHO the majority of grave security problems stem from closed source software not open source. Where was your post ‘1000s of closed source Microsoft Exchange servers actively compromised’?”
Dennis Gerson, an IBM veteran, said: “It is a failure of the various Software Foundation Community processes that lead to well known ‘bugs’ never getting fixed . . . As we all know, there is no ‘free lunch’. We traded high price, high acquisition and support cost proprietary technologies for free acquisition prices, low support cost Open Source technologies. The not so hidden price we all pay is exposure to long known bugs through hacks and lack of accountability in resolving bugs.”
Thank you for your comments.
The Internet of (Five) Things
1. Big Tech needs to take on bigger safety role, say MPs
The UK should force social media companies to assess and report the harm caused by their algorithms, a parliamentary committee has recommended ahead of new laws to improve online safety.
2. Apple probed over alleged whistleblower retaliation
The US Department of Labor is investigating the iPhone maker over claims that it retaliated against employee Ashley Gjovik, a former senior engineering program manager who complained of workplace harassment and unsafe working conditions.
3. Israel’s NSO Group considers Pegasus sale or shutdown
The spyware manufacturer whose military-grade malware has been condemned by human rights groups is considering a sale of the company or a shutdown of its controversial Pegasus unit, according to two people familiar with the discussions.
4. Altice builds BT stake
Patrick Drahi’s telecoms investment group Altice has increased its stake in BT from 12 to 18 per cent, but said it was not currently planning to make a bid for the former UK telecoms monopoly. Lex feels Drahi is playing a waiting game, but says he is unlikely to be successful in grabbing its broadband fibre business.
5. Toyota turbocharges electric drive
Toyota said it would pour $35bn into a shift towards electric vehicles as the world’s biggest carmaker sets itself up for direct rivalry with Tesla. This marks a significant increase in its electric targets as it aims to sell 3.5m battery-powered vehicles annually by 2030, with the launch of 30 EV models by then. Elsewhere, Harley-Davidson is spinning off its electric motorbike division.
Tech tools — Changing the world
In developing countries, approximately 700m people have access to a mobile phone but not to a power source to charge it, writes Jamie Waters in a look at four tech tools changing the world.
BuffaloGrid has developed a solar-powered hub: a handbag-sized device, it can charge 10 smartphones at once and, via a connected app, enables 20 phones to stream content simultaneously without requiring internet access. One hub can service about 600 people. Much of the company’s work has been undertaken in India and Bangladesh.
Its latest project — a joint effort with the non-profit TechFugees — is using the hubs to deliver power and access to information to refugee camps in Kenya and Uganda. It wants to roll out this “Knowledge is Freedom” campaign to displaced communities across Africa and the Middle East. The goal? To help over one million refugees. Donate at buffalogrid.com
