Takeaway: Log4j, also known as the Log4Shell vulnerability, is a critical threat, and no organization should assume it is safe. Determining exposure to Log4j, and fixing vulnerabilities, should be a high priority for most security teams.
The Log4j exploit, also known as the Log4Shell vulnerability, allows threat actors to take control of web-facing servers by feeding them a malicious text string. It exists within Log4j, an open-source Apache library for logging errors and events in Java-based applications. Third-party logging solutions like Log4j are a common way for software developers to log data within an application without building a custom solution.[1]
The Log4Shell vulnerability is triggered by attackers inserting a Java Naming Directory Interface (JNDI) lookup in a header field (likely to be logged), which links to a malicious server. After Log4j logs this string, the server is queried and gives directory information leading to the download and execution of a malicious java data class. This means cybercriminals can both extract private keys and, depending on the level of defenses in place, download and run malware directly on impacted servers. In essence, the Log4Shell vulnerability allows hackers to remotely inject arbitrary code into a target network and assume complete control of it.
A technical look at Log4j
To understand the cyberattack sequence, it’s important to first define data log and understand how loggers operate. Data logging is the process of collecting and storing data over a period of time in order to analyze specific trends or record the data-based events/actions of a system, network, or IT environment. It enables the tracking of all interactions through which data, files, or applications are stored, accessed, or modified on a storage device or application.[2] Without a logger library like Log4j, information from servers is instantly archived after collection.[3]
But if logged data is actively analyzed, or if certain actions in response to specific log data are required, Java software developers may use a library like Log4j to parse logs before they’re archived. Read More
Takeaway:
For most companies, following the SHIELD or FTC practices are sufficient to establish a reasonable security program that should protect companies from civil liability or penalty. But companies storing large amounts of personal information, or valuable proprietary information, should consider even greater controls and protections.
Robinhood, a stock trading platform, was recently sued in connection with a significant data breach. When high profile companies like Robinhood experience loss to data breach, the glare of scary headlines is only a shadow of the cost to the company. Increasingly, companies are subject to litigation risk and the corresponding damages caused by a breach.
According to a class action lawsuit filed in Federal District Court in the Eastern District of New York, over 7 million individual records were revealed in the Robinhood breach. The lawsuit alleges negligence, breach of contract, breach of fiduciary duty, and other violations of state and federal law.
Plaintiffs point out that this type of breach was reasonably foreseeable, given all the news and information on data breaches in recent years. Plaintiffs claim that Robinhood had a duty to secure their personal information. That duty – plaintiffs allege – stems from users’ relationship with the Robinhood service and is actionable based on the Federal Trade Commission Act (FTC Act), which prohibits unfair practices in or affecting commerce, and New York’s SHIELD statute.
Plaintiffs say that Robinhood failed to implement adequate policy, procedure, and technical safeguards, as recommended by the FTC and SHIELD. If those laws create an affirmative duty and obligation for implementing a reasonable security plan, then Robinhood – and others – can be found liable and assessed damages for failure to do so.
What is a “reasonable security plan”? According to Plaintiffs, a reasonable plan includes:
data encryption
employee training
technological tools to defend systems against invasion
But what’s really recommended under SHIELD and FTC, and is that guidance enough to protect companies? Read More
Takeaway:
The Department of Justice will use the False Claims Act as the basis for exacting civil penalties against companies who’ve fraudulently procured federal dollars while knowingly choosing to permit business practices with unacceptable cybersecurity risk.
The Department of Justice (DOJ) is getting aggressive with cyber fraud. Lisa O. Monaco, the DOJ’s Deputy Attorney General over the Department’s Civil Cyber-Fraud Initiative (Initiative), announced recently that the DOJ will actively pursue companies who receive federal funds through federal government contracts, when they fail to follow cybersecurity practices. This type of fraud is all-too-common throughout the federal government’s supply chain. Civil penalties resulting from the DOJ’s new Initiative should be a deterrent for bad actors/contractors who refuse to invest in cybersecurity planning and risk management.
The DOJ will use the False Claims Act (FCA) as the basis for exacting civil penalties against companies who’ve fraudulently procured federal dollars while knowingly choosing to permit business practices with unacceptable cybersecurity risk.
Under the FCA, companies can be held liable if they knowingly cause a false claim to be submitted. The standard for knowing is defined as:
Actual knowledge,
Deliberate ignorance of the truth or falsity of the information, or
Reckless disregard of the truth or falsity of the information.
Notably, , whistleblowers who come forward and provide information about a violation are protected under the FCA, and even allows for the whistleblower to participate in the reward following recovery of a claim.
The purpose of the Initiative appears to be two pronged:
Encourage companies and individuals to disclose cybersecurity incidents and breaches.
Recover federal funds from contractors who are not following certain cybersecurity standards.
Those two prongs were emphasized in President Biden’s May 2020 Executive Order (EO) on cybersecurity. The EO promises to “bring to bear the full scope of its authorities and resources” to protect the Country’s cyber infrastructure and assets. Read More
August 15, 2024
Pietragallo Gordon Alfano Bosick & Raspanti, LLP is pleased to announce that 27 lawyers have been named as 2025 The Best Lawyers in America® and Ones to Watch.Read More
July 1, 2024
Partner Douglas K. Rosenblum of Pietragallo Gordon Alfano Bosick & Raspanti, LLP has been appointed as a Hearing Committee Member serving the Disciplinary Board of the Supreme Court of Pennsylvania effective July 1, 2024. Read More