Experts say Canadians should use good “cyber hygiene” in light of the discovery of a massive software flaw that has resulted in the precautionary shutdown of thousands of websites.
The federal government, the government of Quebec and the Canada Revenue Agency are among the organizations that temporarily suspended websites as a precaution after the Canadian Centre for Cyber Security issued an alert Dec. 10 about the recently discovered software vulnerability in a Java-based library of an Apache product known as Log4j.
Experts describe the software flaw as akin to “leaving the back door open” in that it could give cyber criminals access to the thousands of organizations that use the open-source logging library.
“What we’re talking about here isn’t an attack or a hack or malware. What we’re talking about is a door that’s been left open and can be exploited,” said Brent Arnold, a Toronto-based litigator and data breach coach with the law firm Gowling WLG. “We know already that people are out there trying to take advantage of this.”
Arnold said hackers are able to use the software flaw to breach an organization’s defences, meaning they could potentially take control of its web servers, introduce malware or ransomware attacks, or steal customer data.
While public and government institutions appear to be the ones making public statements about Log4j so far, cybersecurity experts say the logging library is widely used in the private sector as well.
Patrick Mathieu, the co-founder of Hackfest, a large computer security event in Quebec City, said he’s concerned about the lack of communication from companies like major banks about how they’re working on the problem.
“Yes, the (Quebec) government shut this down, but what about big institutions, finance, insurance, mortgage, medical companies? Are they working on the issue?” Mathieu said.
“The lack of transparency right now, it’s dangerous.”
Even small businesses could potentially be exposed to the risk, said Sumit Bhatia, a director with the Rogers Cybersecure Catalyst at Ryerson University.
“Even if small and medium businesses aren’t developing a framework like this, they might be using products and services from those people who do,” he said. “And it’s important to them to reach out to their service providers and ask about the steps that have been taken.”
With governments and other organizations scrambling right now to assess their websites and patch them if necessary, experts say there’s not a lot that the average Canadian can do at this point to address their personal Log4j vulnerability.
“You don’t have any way of knowing when you visit a website if it’s been compromised with a defect. Short of crawling under a rock and not using your computer and not using the internet, there’s not very much (the average user) can do to look out for this specific problem,” Arnold said.
However, while it’s up to companies and organizations to fix the flaws that exist within their own systems, experts say Canadians should be doubly cautious right now when doing anything online. That means not clicking on suspicious links, being wary of emails from unknown sources, and monitoring their bank balances and credit card statements for unusual activity.
“All we can really do is keep being alert and doing all the things we should already be doing, but that not nearly enough of us are doing,” Arnold said.
“Change your passwords, go in and put in two-factor authentication in your systems,” Bhatia said. “These are steps that can make folks at least feel that they’ve done their part, while they’re allowing government institutions and businesses to think about how they’re going to be preventative in their own measures.”