FTC threatens ‘lawsuit’ over unpatched Log4j and other vulnerabilities – Naked Security

The Federal Trade Commission (FTC) is America’s consumer rights body, and it entered 2022 with a bang, not a whimper.

By using the notorious Log4Shell vulnerability as what you might call its Exhibit A, the FTC has fired at companies in U.S. jurisdictions, telling them to clean up their fixes, or face the consequences:

It is essential that businesses and their suppliers relying on Log4j act now, to reduce the likelihood of harm to consumers and avoid FTC lawsuits.

It’s not just Log4j, of course, that creates a legal obligation to do whatever it takes to protect consumers, with the FTC reminding us all that:

When vulnerabilities are discovered and exploited, it risks personal information loss or violation, financial loss, and other irreversible damage. The obligation to take reasonable steps to mitigate known software vulnerabilities involves laws, including the Federal Trade Commission Act and the Gramm Leach Bliley Act.

In other words, even though your business may itself be a victim of crime, it does not release you from your civil or criminal liability.

Simply put: if there were data breach precautions you could have reasonably taken, and people would reasonably expect you to have taken, but you didn’t …

… Then you could become both a victim and an abuser.

The FTC has done it before

The short but direct warning from the FTC is an example of the infamous 2017 Equifax breach, where the US credit reporting giant was compromised via an unpatched Apache Struts vulnerability with the unassuming bug identifier CVE. -2017-5638.

The personal information of nearly 150,000,000 people has been exposed.

The FTC is a vivid reminder to us that Equifax ended up paying $ 700 million to settle the ensuing lawsuits from the FTC itself, the US Consumer Financial Protection Bureau, and the fifty US states.

The FTC is also making it clear that it will also be perfectly happy to lead the charge against would-be offenders:

The FTC intends to use all of its legal authority to prosecute companies that fail to take reasonable steps to protect consumer data from exposure to Log4j or similar known vulnerabilities in the future.

Already seen once again

Interestingly, the Apache Struts vulnerability that caught Equifax had many similarities to the Log4Shell security hole in Apache’s Log4j logging code.

The CVE-2017-5638 Struts vulnerability was exploitable because unimportant text data in an untrusted web request could contain “magic character sequences” that were treated like miniature programs on the other end.

Instead of saying “the data I just sent you is in this format: text/plain“, you might say something like” the data I just sent you is: (hey, run that totally unreliable short text string as a fragment of a program to find out what type it is) “.

Like Log4j’s Log4Shell hole, this bug was originally designed as a feature, giving your back-end business logic programmers awesome flexibility in their code, while inadvertently giving cybercriminals an exploitable backdoor to the computer. remote code execution at the same time.

Even worse is the Log4j bug officially known as CVE-2021-44228, but commonly known as Log4Shell.

The logging toolkit falsely allowed crooks to not only say “the data I want you to log is: this text here“, but also to incorporate logging instructions such as:” the data I want you to record is: (hey, here is a web url where you will find a program that may or may not tell you that, so please download it yourself- same and perform that for me) ”.

If you cannot clearly read the text of the video here, try using full screen mode or watch it directly on YouTube. Click on the video player cog to speed up playback or activate subtitles.

What to do?

If you’re still stuck with 1999-style patch policies that are all about letting more cybersecurity-prepared businesses start first, carefully monitoring the key, then waiting a few more days, weeks, months} while your change control committee assesses the pros and cons …

… You may need to ask your change control committee to make a change within the change control committee itself.

Essentially, the FTC is warning companies and vendors that some vulnerabilities and fixes are important enough that there is no room for lead, follow or deviate; there is only room for lead.

In Naked Security’s own regularly repeated words: patch early, patch often

… Your customers (and regulators in your country) will respect you for this!

Comments are closed.