Experts say Canadians should use good “cyber hygiene” in light of the discovery of a massive software flaw that has resulted in the preventive shutdown of thousands of websites.
The federal government, the Quebec government and the Canadian Revenue Agency are among the organizations that temporarily suspended websites as a precautionary measure after the Canadian Center for Cybersecurity issued an alert on December 10 about the software vulnerability. recently discovered in a Java based library of an Apache product known as Log4j.
Experts describe the software flaw as akin to “leaving the back door open” in that it could give cybercriminals access to the thousands of organizations that use the open source registry library.
Read more:
Canada Revenue Agency shuts down online services due to global ‘security vulnerability’
“What we are talking about here is not an attack or a hack or malware. What we’re talking about is a door that has been left open that can be exploited, ”said Brent Arnold, a Toronto-based data breach and litigator at the Gowling WLG law firm. “We already know that people are trying to take advantage of this.”
Arnold said that hackers can use software flaw to breach an organization’s defenses, meaning they could take control of its web servers, introduce malware or ransomware attacks, or steal customer data.
While public and government institutions seem to be the ones making public statements about Log4j so far, cybersecurity experts say the log library is widely used in the private sector as well.
Patrick Mathieu, co-founder of Hackfest, a large cybersecurity event in Quebec City, said he is concerned about the lack of communication from companies such as major banks about how they are working on the problem.
“Yes, the government (of Quebec) closed this, but what about the big institutions, finance, insurance, mortgages, medical companies? Are they working on the problem? “Mathieu said.
“The lack of transparency right now is dangerous.”
Even small businesses could potentially be at risk, said Sumit Bhatia, director of Rogers Cybersecure Catalyst at Ryerson University.
“Even if small and medium-sized businesses are not developing a framework like this, they may be using products and services from the people who do,” he said. “And it is important for them to communicate with their service providers and ask them about the steps that have been taken.”
With governments and other organizations scrambling right now to assess their websites and patch them if necessary, experts say there is not much the average Canadian can do at this time to address their personal Log4j vulnerability.
“You have no way of knowing when you visit a website if it has been compromised with a defect. Other than crawling under a rock and not using his computer and not using the internet, there isn’t much (the average user) can do to be on the lookout for this specific problem, ”Arnold said.
Read more:
Massive software glitch with global reach forces Quebec to shut down government websites
However, while it is up to businesses and organizations to correct the flaws that exist within their own systems, experts say Canadians should be doubly cautious right now when doing anything online. That means not clicking on suspicious links, being wary of emails from unknown sources, and monitoring your bank balances and credit card statements for unusual activity.
“All we can really do is be alert and do all the things that we should already be doing, but are not doing enough,” Arnold said.
“Change your passwords, log in, and put two-factor authentication on your systems,” Bhatia said. “These are steps that can make people feel at least that they have done their part, while allowing government institutions and businesses to think about how they are going to be preventive with their own measures.”
© 2021 The Canadian Press
Reference-globalnews.ca