[ad_1]
Cybersecurity experts struggled Tuesday to answer lawmakers’ fundamental questions about the danger of a flaw in open-source logging platform Apache Log4J that could plague computer networking advocates for years.
The vulnerability was discovered in December, and widespread use of the software promptly prompted the FBI to tell victims it might not respond because of how wide the potential victim pool has become.
About two months after it was revealed, cybersecurity experts said they were unable to answer questions from senators about how the vulnerability was weaponized for years without being detected, and the full picture of who is at risk.
According to cybersecurity firm Dragos, potential victims live in a number of industries, including electricity, water, transportation, food and manufacturing.
President of the Apache Software Foundation David Nalley He told the Senate Homeland Security and Governmental Affairs Committee on Tuesday: he did not know how many users of the defective software.
“Mr. NalleyHow many products use Log4J code?” asked Missouri Republican Senator Josh Hawley at the hearing. “Do you have any ideas?”
“I have no idea about that,” said Mr. Nalley aforementioned. “Unfortunately, our users are not required to enter into any contract to provide us with any contact information or to tell us how, where or at what scale they use it, so it is unknown to me.”
Whatever the number of affected products, it is likely still increasing. Mr. Nalley aforementioned he I heard that in mid-January the developers were still downloading a vulnerable version of Log4J at around 10,000 downloads per hour. he aforementioned he He did not know the number of detected attacks.
Cybersecurity companies said they’ve identified hackers supported by China, Iran and others, who exploited the vulnerability that raised concerns in US cyber officials.
When asked what China is doing at Tuesday’s Senate hearing, Mr. Nalley aforementioned he didn’t know how the country used the fault her software.
Other cyber experts from Cisco, Palo Alto Networks, and the Atlantic Council also had no answers.
Even if cyber experts know what China and other nations hostile to the United States can do now to strengthen the offensive against the Americans, they may never know what happened before. The vulnerable software appears to have been present since 2013.
Republican Senator James Lankford of Oklahoma asked cyber experts what the chances were that the software flaw had been exploited in the previous nine years, and all of the witnesses sat silently until they called someone to answer him.
Mr. Nalley aforementioned her The team did not observe any evidence of exploitation before the flaw was announced in December, but he He noted that absence of evidence is not evidence of absence.
Using an example of problem researchers, Cisco senior vice president Brad Arkin said they can look back at the computer logs to look for examples of where it was used before.
“According to our telemetry, I think there were some signs of abuse before December 9, but only a week ago, until December 2,” Arkin said. “There was no indication of any abuse going before this.”
Details of the private sector’s failure to take up arms about how big of a problem the attack is and how it could be exploited in cyberattacks are being used by the leadership of the homeland security committee to force pass the new cybersecurity law.
Michigan Democrat Senator Gary Peters and Ohio Republican Rob Portman said on Tuesday that the duo had bundled three bills they wrote through the committee, which included, among other things, cyber-incident reporting requirements and rules for critical infrastructure operators.
Mr Peters said Russia has reportedly exploited this vulnerability in its cyberattacks against Ukraine.
Mr Peters said at the hearing, “The implications of widespread vulnerabilities need to be better understood and we need to pass incident reporting legislation to make sure we have a full picture of the threat we face in this country.” Said.
The Log4J attack did not produce any publicly observable victims, just as the ransomware attack on Colonial Pipeline last year caused a disruption in fuel markets that led to gas lines along the east coast.
Cyber attackers may be waiting for the right moment to exploit the vulnerability, but there are other possibilities.
The NSA’s Greg Bednarski said on Twitter in January that the problem of missing victims could stem from factors ranging from people not knowing they were victims to network advocates being more proficient than expected.
Last week, the Biden administration announced that it would form a “Cybersecurity Review Board,” with members from the public and private sectors tasked with examining the Log4J issue and preparing a report during the summer.
If the cyber experts’ predictions come true, the Log4J issue will not be over before the report expires.
“Given the near ubiquity of use of Log4J, it could take months or even years for all distributed instances of this vulnerability to be eradicated,” he said. Nalley aforementioned.
[ad_2]
Source link