DailyPost 1906
Log4j
It seems security has slowly been moved to the private domain. From the security point of view, everything seems to be normal on the face of it. Whatever happens in the cyber security area is still not a matter of concern in this country. The mindset of the watertight compartments of Security and Cyber Security has been concertized even further. In reality, the world is moving in a diametrically opposite direction as we are moving very fast towards a cyber physical world. The Log4j vulnerability is spinning the world on its head. But in India, life is as usual both the security and supposedly the IT and regulatory establishments as well. An urgent warning comes from the US government’s cyber security agency.
The flaw in the Log4j software ”could allow hackers unfettered access to computer systems.”* Mandiant CTO has been getting requests from several major companies in the last few days for help on this count. He stated, ”this is probably the worst security vulnerability in at least the last 10 years – may be longer.” How long will it take to patch up the vulnerability? Microsoft and Cisco have already published advisories about the flaw. The software developers released a fix late last week. But the challenge is how thousands of companies put the fix in place before it is exploited. This vulnerability was discovered by the cloud security team of Alibaba Group as per the Apache Software Foundation, which maintains Log4j.
The said vulnerability gives control of the system to the hackers. The pervasiveness of the code across board is a Himalayan task, being faced by the IT and Cyber Security fraternity globally. ”Because the faulty computer code is baked into the software of all sorts, updating it is a painstaking process.” The complexity of the digital world nobody is ready to understand, more so the governments, even if it means that the risk grows manifold. It is declared as a severe risk by the US government. It is now the vendors’ turn to turn the tide. It is only they who can perform the remedial action at a scale and speed that is warranted. Vendor, ”must immediately identify, mitigate, and patch the wide array of products using this software.”
VMWare, the makers of the virtualization software, said that several of its products were likely to be affected by the Java-based Log4j. The only way to describe this hack / attack / exploit is ubiquitous. Of the customers running Tenable scanning products, at least three systems a second are reporting that they are affected. The federal system as on Saturday remains uncompromised. The stoic silence of the governments and agencies here and near total black out in the media, makes us believe that we are living in an unreal world, the real world is not only what we physically see and feel today. A tweet can put the country on fire, but the Log4j vulnerability is not worth even a whimper. Reality cannot be crazier.
NOT RECOGNISING THE LOG4J VULNERABILITY IS LIKE ACHIEVING DIGITAL ENLIGHTENMENT.
Sanjay Sahay