Communications of the ACM
Locking Down Secure Open Source Software
Credit: Andrij Borys Associates, Shutterstock
Panic rippled through the cybersecurity world in early December 2021 as word spread about a newly discovered vulnerability in a piece of open source software used by millions. A string of code called Log4J, which instructs programs written in Java to create a record of program activity, would allow attackers to insert malicious code into programs. The flaw led to risks in software used by government agencies, Web service providers such as Amazon Web Services and Apple iCloud, and even video games such as Minecraft.
In fact, within days of the first announcement, attackers used the flaw to get into the computer of the Suffolk County, NY, clerk's office. Over the next few months, they stole files and passwords, installed malware and crypto-currency mining software, and gained access to other county networks, including the health and sheriff's departments. In September, they encrypted files and demanded $2.5 million in ransom. The county refused to pay and was forced to switch to paper in providing services, and has since spent at least $5.2 million on investigation and repairs.
No entries found