ÐÇ¿Õ´«Ã½

Sci-Tech

    • The security flaw that's freaked out the internet

    cyber attack
    Share
    BOSTON -

    Security pros say it's one of the worst computer vulnerabilities they've ever seen. They say state-backed Chinese and Iranian hackers and rogue cryptocurrency miners have already seized on it.

    The U.S. Department of Homeland Security is sounding a dire alarm, ordering federal agencies to urgently eliminate the bug because it's so easily exploitable -- and telling those with public-facing networks to put up firewalls if they can't be sure. The affected software is small and often undocumented.

    Detected in an extensively used utility called Log4j, the flaw lets internet-based attackers easily seize control of everything from industrial control systems to web servers and consumer electronics. Simply identifying which systems use the utility is a prodigious challenge; it is often hidden under layers of other software.

    The top U.S. cybersecurity defence official, Jen Easterly, deemed the flaw "one of the most serious I've seen in my entire career, if not the most serious" in a call Monday with state and local officials and partners in the private sector. Publicly disclosed last Thursday, it's catnip for cybercriminals and digital spies because it allows easy, password-free entry.

    The Cybersecurity and Infrastructure Security Agency, or CISA, which Easterly runs, stood up a resource page Tuesday to help erase a flaw it says is present in hundreds of millions of devices. Other heavily computerized countries were taking it just as seriously, with Germany activating its national IT crisis centre.

    A wide swath of critical industries, including electric power, water, food and beverage, manufacturing and transportation, were exposed, said Dragos, a leading industrial control cybersecurity firm. "I think we won't see a single major software vendor in the world -- at least on the industrial side -- not have a problem with this," said Sergio Caltagirone, the company's vice president of threat intelligence.

    Eric Goldstein, who heads CISA's cybersecurity division, said Washington was leading a global response. He said no federal agencies were known to have been compromised. But these are early days.

    "What we have here is a extremely widespread, easy to exploit and potentially highly damaging vulnerability that certainly could be utilized by adversaries to cause real harm," he said.

    A SMALL PIECE OF CODE, A WORLD OF TROUBLE

    The affected software, written in the Java programming language, logs user activity on computers. Developed and maintained by a handful of volunteers under the auspices of the open-source Apache Software Foundation, it is extremely popular with commercial software developers. It runs across many platforms -- Windows, Linux, Apple's macOS -- powering everything from web cams to car navigation systems and medical devices, according to the security firm Bitdefender.

    Goldstein told reporters in a conference call Tuesday evening that CISA would be updating an inventory of patched software as fixes become available. Log4j is often embedded in third-party programs that need to be updated by their owners. "We expect remediation will take some time," he said.

    Apache Software Foundation said the Chinese tech giant Alibaba notified it of the flaw on Nov. 24. It took two weeks to develop and release a fix.

    Beyond patching to fix the flaw, computer security pros have an even more daunting challenge: trying to detect whether the vulnerability was exploited -- whether a network or device was hacked. That will mean weeks of active monitoring. A frantic weekend of trying to identify -- and slam shut -- open doors before hackers exploited them now shifts to a marathon.

    LULL BEFORE THE STORM

    "A lot of people are already pretty stressed out and pretty tired from working through the weekend -- when we are really going to be dealing with this for the foreseeable future, pretty well into 2022," said Joe Slowik, threat intelligence lead at the network security firm Gigamon.

    The cybersecurity firm Check Point said Tuesday it detected more than half a million attempts by known malicious actors to identify the flaw on corporate networks across the globe. It said the flaw was exploited to plant cryptocurrency mining malware -- which uses computer cycles to mine digital money surreptitiously -- in five countries.

    As yet, no successful ransomware infections leveraging the flaw have been detected. But experts say that's probably just a matter of time.

    "I think what's going to happen is it's going to take two weeks before the effect of this is seen because hackers got into organizations and will be figuring out what to do to next." John Graham-Cumming, chief technical officer of Cloudflare, whose online infrastructure protects websites from online threats.

    We're in a lull before the storm, said senior researcher Sean Gallagher of the cybersecurity firm Sophos.

    "We expect adversaries are likely grabbing as much access to whatever they can get right now with the view to monetize and/or capitalize on it later on." That would include extracting usernames and passwords.

    State-backed Chinese and Iranian hackers have already exploited the flaw, presumably for cyberespionage, and other state actors were expected to do so as well, said John Hultquist, a top threat analyst at the cybersecurity firm Mandiant. He wouldn't name the target of the Chinese hackers or its geographical location. He said the Iranian actors are "particularly aggressive" and had taken part in ransomware attacks primarily for disruptive ends.

    SOFTWARE: INSECURE BY DESIGN?

    The Log4j episode exposes a poorly addressed issue in software design, experts say. Too many programs used in critical functions have not been developed with enough thought to security.

    Open-source developers like the volunteers responsible for Log4j should not be blamed so much as an entire industry of programmers who often blindly include snippets of such code without doing due diligence, said Slowik of Gigamon.

    Popular and custom-made applications often lack a "Software Bill of Materials" that lets users know what's under the hood -- a crucial need at times like this.

    "This is becoming obviously more and more of a problem as software vendors overall are utilizing openly available software," said Caltagirone of Dragos.

    In industrial systems particularly, he added, formerly analog systems in everything from water utilities to food production have in the past few decades been upgraded digitally for automated and remote management. "And one of the ways they did that, obviously, was through software and through the use of programs which utilized Log4j," Caltagirone said.

    CTVNews.ca ÐÇ¿Õ´«Ã½

    BREAKING

    BREAKING

    Three men were injured after trying to subdue a man armed with a knife during afternoon prayers at a Montreal-area mosque Friday afternoon.

    A 15-year-old boy who was the subject of an emergency alert in New Brunswick has been arrested.

    Police have arrested an 18-year-old woman who allegedly stole a Porsche and then ran over its owner in an incident that was captured on video.

    Since she was a young girl growing up in Vancouver, Ginny Lam says her mom Yat Hei Law made it very clear she favoured her son William, because he was her male heir.

    The search for a missing six-year-old boy in Shamattawa is continuing Friday as RCMP hope recent tips can help lead to a happy conclusion.

    Canada

    • BREAKING

      BREAKING

      Three men were injured after trying to subdue a man armed with a knife during afternoon prayers at a Montreal-area mosque Friday afternoon.

    • Police have arrested an 18-year-old woman who allegedly stole a Porsche and then ran over its owner in an incident that was captured on video.

    • The search for a missing six-year-old boy in Shamattawa is continuing Friday as RCMP hope recent tips can help lead to a happy conclusion.

    • The debate over sexual orientation and gender identity education in schools is heating up. Protests both for and against SOGI in the curriculum took place across the country Friday.

    • The parents of a teenager who died after allegedly consuming the poisonous products of a Mississauga man are now suing him, as well as several doctors involved in her care.

    • Relatives of a 60-year-old man who took his own life in a Nova Scotia jail after long periods of confinement in his cell have launched a lawsuit against the province.

    World

    Politics

    Health

    • A Nova Scotia woman has applied for a medically assisted death, saying after years of battling to receive out-of-country surgery for an illness that causes 'indescribable' pain, she struggles to maintain the will to live.

    Sci-Tech

    Entertainment

    • Getting a photograph of a rainbow? Common. Getting a photo of a lightning strike? Rare. Getting a photo of both at the same time? Extremely rare, but it happened to a Manitoba photographer this week.

    • It was the last show for longtime children's TV star Ron (Buck Shot) Barge Friday as hundreds of family, friends and fans attended a public memorial in Calgary.

    Business

    Lifestyle

    Sports

    • The Winnipeg Blue Bombers have won five in a row. The Edmonton Elks have won five of their last six games. They are the two hottest teams in the West. When they meet Saturday at Commonwealth Stadium, something has to give.

    • Agreement in principle has been reached to build a new NHL arena at LeBreton Flats has been reached between the Ottawa Senators and the National Capital Commission (NCC), the two sides announced Friday.

    • F1 star Max Verstappen punished over bad word

      Formula One points leader Max Verstappen was ordered to 'accomplish some work of public interest' after uttering an inappropriate word Thursday at the news conference ahead of the Singapore Grand Prix.

    Autos

    Local Spotlight

    Getting a photograph of a rainbow? Common. Getting a photo of a lightning strike? Rare. Getting a photo of both at the same time? Extremely rare, but it happened to a Manitoba photographer this week.

    An anonymous business owner paid off the mortgage for a New Brunswick not-for-profit.

    They say a dog is a man’s best friend. In the case of Darren Cropper, from Bonfield, Ont., his three-year-old Siberian husky and golden retriever mix named Bear literally saved his life.

    A growing group of brides and wedding photographers from across the province say they have been taken for tens of thousands of dollars by a Barrie, Ont. wedding photographer.

    Paleontologists from the Royal B.C. Museum have uncovered "a trove of extraordinary fossils" high in the mountains of northern B.C., the museum announced Thursday.

    The search for a missing ancient 28-year-old chocolate donkey ended with a tragic discovery Wednesday.

    The Royal Canadian Mounted Police is celebrating an important milestone in the organization's history: 50 years since the first women joined the force.

    It's been a whirlwind of joyful events for a northern Ontario couple who just welcomed a baby into their family and won the $70 million Lotto Max jackpot last month.

    A Good Samaritan in New Brunswick has replaced a man's stolen bottle cart so he can continue to collect cans and bottles in his Moncton neighbourhood.

    • The debate over sexual orientation and gender identity education in schools is heating up. Protests both for and against SOGI in the curriculum took place across the country Friday.

    • A fire that destroyed a historic bridge in Kamloops, B.C., is now being investigated as arson, local Mounties say.

    • A teenager has been charged with multiple offences related to stabbings that occurred in Surrey's Newton neighbourhood last week.

    • Police have arrested an 18-year-old woman who allegedly stole a Porsche and then ran over its owner in an incident that was captured on video.

    • The parents of a teenager who died after allegedly consuming the poisonous products of a Mississauga man are now suing him, as well as several doctors involved in her care.

    • Michael Ford, Ontario's minister of citizenship and multiculturalism, says he is taking a leave of absence from cabinet to prioritize his health.

    • Calgary Mayor Jyoti Gondek is urging the Alberta government to preserve pieces of the massive Green Line transit project now being dissolved.

    • A Lethbridge resident is facing charges after police seized drugs and weapons at a traffic stop for bicycle equipment violations.

    • It was the last show for longtime children's TV star Ron (Buck Shot) Barge Friday as hundreds of family, friends and fans attended a public memorial in Calgary.

    • Agreement in principle has been reached to build a new NHL arena at LeBreton Flats has been reached between the Ottawa Senators and the National Capital Commission (NCC), the two sides announced Friday.

    • Police say a man, 34, who was taken to hospital in critical condition after being shot Thursday night has died.

    • Ottawa police are investigating a shooting downtown Friday afternoon.

    • BREAKING

      BREAKING

      Three men were injured after trying to subdue a man armed with a knife during afternoon prayers at a Montreal-area mosque Friday afternoon.

    • When Bernard Morissette got a call from Loto-Quebec on Sept. 18 and was asked if he was sitting down, he had no idea what was coming his way.

    • "We love you, Eddy!" screamed the 350 students at Terry Fox Elementary School in Pierrefonds. They didn't know the man their school is named after, but they knew Eddy Nolan who would visit regularly and encourage the students to participate in "the Terry Fox Run".

    • Mounties say there was an increased police presence in the Emerald Hills area of Sherwood Park on Friday morning as officers searched for a man who is wanted by police.

    • There's a friendship in the Edmonton Oilers crease between Stuart Skinner and Calvin Pickard.

    • There are plenty of fun happenings in Edmonton this weekend. It's time to savour that last little bit of the summer season before the leaves really start coming down.

    • A 15-year-old boy who was the subject of an emergency alert in New Brunswick has been arrested.

    • Relatives of a 60-year-old man who took his own life in a Nova Scotia jail after long periods of confinement in his cell have launched a lawsuit against the province.

    • Family, friends and fans of late hip hop artist and battle rapper, Pat Stay will gather at events held in his honour on Saturday and Sunday.

    • The search for a missing six-year-old boy in Shamattawa is continuing Friday as RCMP hope recent tips can help lead to a happy conclusion.

    • Pedestrians are getting a step closer to being able to cross Portage and Main.

    • A Manitoba veterinary clinic has two new ways of figuring out what’s causing a horse to be lame.

    • Five Regina schools have been placed in lockdown or secure the building mode following a report of a weapons investigation at Miller High School on Friday.

    • A 21-year-old man from Codette, Sask. is facing numerous charges in connection to a fatal crash near Wapella, Sask. Wednesday night that claimed the life of a 22-year-old Alberta woman.

    • The City of Regina and provincial government have committed a combined $400,000 to Carmichael Outreach for an 80-person warming space set to open no later than Nov. 1.

    • Protests were held in front of Kitchener City Hall on Friday, both for and against LGBTQ2S+ inclusive education and queer rights in schools.

    • Levels of hydrogen sulfide gas are being monitored at Brantford Collegiate Institute after a leak in their geothermal system.

    • Police have arrested an 18-year-old woman who allegedly stole a Porsche and then ran over its owner in an incident that was captured on video.

    • The Métis Nation of Saskatchewan has pulled out of a national body representing Métis, citing problems with an Ontario group and throwing the future of the Métis National Council into question.

    • The second-degree murder trial of Thomas Hamp is being adjourned until December so an expert witness central to the trial can testify.

    • A 69-year-old woman from Outlook, Saskatchewan is dead and three people are injured after a truck and SUV collided on Highway 15 on Thursday.

    • Emergency crews in northern Ontario found the bodies of four people inside a home where a fire broke out Thursday night.

    • Police have arrested an 18-year-old woman who allegedly stole a Porsche and then ran over its owner in an incident that was captured on video.

    • A 26-year-old driver from Surrey, B.C., has been charged with three counts of criminal negligence causing death and bodily harm in a crash that killed two youths in northern Ontario last year.

    • On Thursday, just before noon, emergency services were called to the area of Curtis Street and Hiawatha Street due to reports of a couch on fire.

    • A man is in hospital with life threatening injuries following a collision between a motorcycle and a vehicle on Friday afternoon.

    • Members of the 2SLGBTQ+ community and supportetrs greatly outnumbered the people attending a '1 Million March 4 Children' event along Central Avenue.

    • Two men from Barrie have been charged after a deadly shooting at a park in Keswick on Wednesday.

    • A 17-year-old from Markham is facing serious charges after an August 11 shooting at a party in Caledon.

    • Provincial police are investigating vandalism in Huntsville after the "senseless destruction" of flower displays along Main Street East.

    • The Special Investigations Unit (SIU) is searching for the occupants of a vehicle caught on security cameras during a fatal police-involved shooting on Goyeau Street.

    • Windsor police say a 25-year-old mother has been charged with the drowning death of her 5-year-old child in the family’s backyard pool.

    • A peaceful transition of power is taking place at the Caldwell First Nation after its recent election held on Sept. 14.

    • New Democrat Leader David Eby has launched his British Columbia election campaign a day early, making the key battle ground of Surrey his first stop.

    • The Old Man Lake wildfire near Sooke is the only one currently burning on Vancouver Island. It’s a region of the province that this year saw a drastic drop in blazes in the backcountry.

    • The debate over sexual orientation and gender identity education in schools is heating up. Protests both for and against SOGI in the curriculum took place across the country Friday.

    • A pair of runaway pigs are in the custody of an animal sanctuary in the Okanagan after evading police and volunteers for hours earlier this week.

    • The Red Bridge, a historic landmark in Kamloops, B.C., was completely destroyed by fire early Thursday morning.

    • Animal protection officers in British Columbia have rescued three pit bulls – including one that gave birth to 10 puppies – from a rat-infested home in Kelowna.

    • A Lethbridge resident is facing charges after police seized drugs and weapons at a traffic stop for bicycle equipment violations.

    • A Vulcan, Alta., man has been charged with a Lethbridge woman's murder after her body was found in the Oyen area.

    • A Lethbridge couple got a good reminder as to why you should keep your vehicle doors locked at all times.

    • A 26-year-old driver from Surrey, B.C., has been charged with three counts of criminal negligence causing death and bodily harm in a crash that killed two youths in northern Ontario last year.

    • Ontario Provincial Police say three suspects from southern Ontario have been charged and drugs worth $300,000 have been seized following a traffic stop Sept. 16.

    • A Brampton driver, 27, was charged this week when northern Ontario police stopped the SUV he was driving on Highway 17 after a reported shooting and found more than $100,000 in cash.

    N.L.

    Shopping Trends

    The Shopping Trends team is independent of the journalists at CTV News. We may earn a commission when you use our links to shop. Read about us.

    Stay Connected
    Follow CTV News