Select Page

WCCO AM 830 with Cory Hepola, Thursday, Dec. 16, 2021; Online Scams, Log4j Vulnerability

Finding online scams is not a technology thing, it’s a human nature thing. Follow the same advice our parents taught us and our parents’ parents taught them: if it’s too good to be true, then it’s probably a lie.

The log4j vulnerability is bigger news than finding online scams. Millions of web applications use the Apache Foundation log4j software module for diagnostic logging. But on Nov. 24, 2021, Chen Zhaojun, with Alibaba Group Holding Ltd.’s cloud-security team, emailed Apache to report a remote code execution (RCE) vulnerability, which means attackers around the world can remotely execute any code they want on victim systems. Which means attackers can control millions of websites around the world and steal from anyone who uses them.

That led to a mad scramble with engineering teams around the world, first to fix log4j, and then to assess and update millions of applications that depend on it. Applications from the largest websites in the world to the tiniest embedded smart home devices use lof4j. They’re all potentially vulnerable. They all need updates. If you have a security camera, internet-connected door locks, thermostat, kitchen appliance, or any other smart-home device, contact your vendor for an update. And don’t accept no as an answer.

This Bloomberg article chronicled the early log4j history. Cory Hepola and I talked about it on the radio. It’s a fascinating story.

Previous WCCO Radio appearance

Next WCCO Radio appearance