Category Archives: Laws and regulations

Feds arrested Pompompurin, the alleged owner of BreachForums

U.S. law enforcement arrested this week a US citizen suspected to be Pompompurin, the notorious owner of the BreachForums cybercrime forum.

U.S. law enforcement arrested this week a US man that goes online with the moniker “Pompompurin,” the US citizen is accused to be the owner of the popular hacking forum BreachForums. 

The news of the arrest was first reported by Bloomberg, which reported that federal agents arrested Conor Brian Fitzpatrick from Peekskill, New York.

The man was arrested by the feds at his home around 4:30 p.m. Wednesday.

“Federal agents have arrested a Peekskill, New York, man they say ran the notorious dark web data-breach site “BreachForums” under the name “Pompompurin.”” reads the post published by Bloomberg. “Conor Brian Fitzpatrick was arrested by a team of investigators at his home around 4:30 p.m. Wednesday, an FBI agent said in a sworn statement filed in court the next day. Fitzpatrick is charged with a single count of conspiracy to commit access device fraud.”

In an affidavit filed with the District Court for the Southern District of New York, FBI Special Agent John Langmire said that at around 4:30 p.m. on March 15, 2023, he led a team of that made a probable cause arrest of Conor Brian Fitzpatrick in Peekskill, NY.

“When I arrested the defendant on March 15, 2023, he stated to me in substance and in part that: a) his name was Conor Brian Fitzpatrick; b) he used the alias ‘pompompurin/’ and c) he was the owner and administrator of ‘BreachForums’ the data breach website referenced in the Complaint,” Langmire wrote.

According to the Westchester News12 website, the agents spent hours inside and outside of the suspect’s home, they were seen removing several bags of evidence from the house.

The man has been charged with soliciting individuals with the purpose of selling unauthorized access devices.

Fitzpatrick was released on a $300,000 bond signed by his parents, he is scheduled to appear before the District Court for the Eastern District of Virginia on March 24, 2023.

The defendant must: submit to supervision by and report for supervision to the PRETRIAL SERVICES As Directed; he was ordered to surrender any passport.

The man has been restricted from contacting his co-conspirators, getting medical or psychiatric treatment, and using unlawfully narcotic drugs or other controlled substances unless prescribed by a licensed medical practitioner.

The BreachForums hacking forum was launched in 2022 after the law enforcement authorities seized RaidForums as a result of Operation TOURNIQUET.

pompompurin always confirmed that he was ‘not affiliated with RaidForums in any capacity,’

The law enforcement authorities have yet to shut down the website, another admin of the forum that goes online with the alias “Baphomet” announced that he is taking the control of the platform.

Baphomet added that he believes that the feds haven’t had access to the infrastructure.

“I also since that point have been constantly monitoring everything and going through every log to see any access or modifications to Breached infra. So far nothing like that has been seen.” said Baphomet. “My only response to LE, or any media outlet is that I have no concerns for myself at the moment. OPSEC has been my focus from day one, and thankfully I don’t think any mountain lions will be attacking me in my little fishing boat.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BreachForums)

Russian Government evaluates the immunity to hackers acting in the interests of Russia

The Russian Government proposed to give a sort of immunity to the hackers that operate in the interests of Moscow.

Russian media reported that Alexander Khinshtein, the head of the Duma committee on information policy, announced that the Russian government is evaluating to avoid punishing hackers acting in the interests of Moscow.

“The question of their exemption from liability needs to be worked out, said Alexander Khinshtein, head of the Duma committee on information policy.” reported the Govoritmoskva website.

The Russian government recognizes the importance of cybercriminal gangs and hacktivists’ contribution to the defense of its interests. This is an important official announcement, even if the Russian government in the past demonstrated indulgence for cybercriminal gangs that avoided hitting computers in the country. Multiple ransomware gangs developed their malware to avoid infecting systems in the Commonwealth of Independent States (CIS) region (formed following the dissolution of the Soviet Union in 1991) and instructed the network of their affiliates not to target Russian organizations.

The topic is crucial, especially in this historical moment, the ongoing conflict between Russia and Ukraine is characterized by the presence of non-state actors in cyberspace, whose operations are reshaping the threat landscape.

“We are talking about, in general, working out the exemption from liability of those persons who act in the interests of the Russian Federation in the field of computer information both on the territory of our country and abroad,” TASS quotes Khinshtein.

The Russian Parliament announced that this proposal will be discussed more in detail in the next months with the intent to better formulate this initiative.

The Russian law framework currently punishes crooks charged with creating, using, and distributing malware with up to seven years in jail.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Russian Government)

Twitter restricted in Turkey after the earthquake amid disinformation fear

Global internet monitor NetBlocks reported that Twitter has been restricted in Turkey in the aftermath of the earthquake.

Global internet monitor NetBlocks reported that network data confirm that Twitter has been restricted in Turkey in the aftermath of the earthquake.

The data show that multiple internet providers in Turkey blocked the popular platform as of Wednesday 8 February 2023. TurkTelekom and Turkcell have completely blocked access to Twitter, while Vodafone still allows slower access to Twitter, reported the Balkaninsight website. NetBlocks metrics confirm that the social network Twitter has been restricted by “means of SNI filtering on major internet providers.”

The decision of the government to block Twitter followed growing public anger towards the Turkish government’s response to the devastating earthquakes.

Turkish authorities raise concerns over disinformation online that can destabilize the political contest in the country while responding to this emergency.

“Network data confirm the restriction of Twitter on multiple internet providers in Turkey as of Wednesday 8 February 2023.” reported Netblocks. “Service was restored the next morning after state media reported that Turkish authorities had held a meeting with Twitter’s head of policy on disinformation and the need for content takedowns.”

However, the use of VPN services can be used by people in the country to circumvent internet censorship measures. Twitter remains a crucial source of information for relatives of victims, survivors, and rescuers.

It is important to highlight that natural disasters usually have a significant impact on internet connectivity. NetBlocks reported similar problems in Turkey after the earthquake as reported the by following tweet from the organization:

The use of internet filtering in the aftermath of an earthquake is absurd, because of its impact on the population that is facing a tragic situation.

This isn’t the first time that the government restricted access to social media following events like terror attacks and protests.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Turkey)

The Irish DPC fined WhatsApp €5.5M for violating GDPR

The Irish Data Protection Commission (DPC) fined Meta’s WhatsApp €5.5 million for violating data protection laws.

The popular messaging app WhatsApp has been fined €5.5m by the Irish Data Protection Commission (DPC) for violating the General Data Protection Regulation (GDPR).

The DPC has given six months to the Meta-owned company to bring its data processing operations in compliance with the privacy regulation.

“The Data Protection Commission (“DPC”) has today announced the conclusion of an inquiry into the processing carried out by WhatsApp Ireland Limited (“WhatsApp Ireland”) in connection with the delivery of its WhatsApp service, in which it has fined WhatsApp Ireland €5.5 million (for breaches of the GDPR relating to its service).” reads the DPC’s announcement. “WhatsApp Ireland has also been directed to bring its data processing operations into compliance within a period of six months.”

On May 2018, ahead of the adoption of the GDPR, WhatsApp updated the Terms of Service imposing users to agree to the revised terms in order to continue using the messaging app.

The inquiry concerned a complaint filed by the non-profit organization NOYB – European Center for Digital Rights on 25 May, 2018.

The Irish regulator pointed out that by making the accessibility of its services conditional on users accepting the updated Terms of Service, WhatsApp Ireland forced them to consent to the processing of their personal data. The company claimed that the updates aimed at improving the security end the service, but it clearly breached the GDPR.

The company was not transparent about what processing operations were being carried out on the users personal data. According to the DPC, the lack of transparency contravened Articles 12 and 13(1)(c) of the GDPR. 

“The final decision adopted by the DPC on 12 January 2023 reflects the EDPB’s binding determination, as set out above.” continues the announcement. “Accordingly, the DPC’s decision includes findings that WhatsApp Ireland is not entitled to rely on the contract legal basis for the delivery of service improvement and security (excluding what the EDPB terms as “IT security”) for the WhatsApp service, and that its processing of this data to-date, in purported reliance on the contract legal basis, amounts to a contravention of Article 6(1) of the GDPR.”

WhatsApp announced that it will appeal the fine.

“We strongly believe that the way the service operates is both technically and legally compliant,” a WhatsApp spokesperson said. “We rely upon contractual necessity for service improvement and security purposes because we believe helping keep people safe and offering an innovative product is a fundamental responsibility in operating our service.”

In a post published by NOYB, the organization claims that WhatsApp doesn’t encrypt metadata and share it with Facebook and Instagram, which use this information to customize ads.

The organization pointed out that metadata can be used to acquire knowledge of the communication behaviour of users,  including who communicates with whom and when, who uses the app when, for how long and how often.

“While the communication itself is encrypted, the phone numbers and associated Facebook or Instagram accounts of people are collected. Such information can then be used to personalize ads for users on other Meta platforms like Facebook and Instagram. The DPC seems to have refused to investigate this core matter of the complaints.” reads the post published by Noyb.

The bad news is that the DPC doesn’t plan to open an investigation whether WhatsApp processes user metadata for advertising.

“WhatsApp says it’s encrypted, but this is only true for the content of chats – not the metadata. WhatsApp still knows who you chat with most and at what time. This allows Meta to get a very close understanding of the social fabric around you.” explained NOYB founder, Max Schrems. “Meta uses this information to, for example, target ads that friends were already interested in. It seems the DPC has now simply refused to decide on this matter, despite 4.5 years of investigations.”

Early this year, the Data Protection Commission (DPC) concluded two inquiries into the data processing operations of Meta Platforms Ireland Limited (“Meta Ireland”) over the delivery of its Facebook and Instagram services.

DPC fined Meta Platforms a total of €390 million (roughly $414 million).

The inquiries were related to Facebook and Instagram services; one complaint was made by an Austrian data subject and was related to the data processing operations of Facebook, and the second one was made by a Belgian data subject in relation to Instagram.

Both complaints were made on the date on which the GDPR came into operation, on 25 May 2018.

In advance of 25 May 2018, Meta Ireland had changed the Terms of Service for its Facebook and Instagram services.

The DPC has now imposed fines of more than €1.3bn on Meta, Instagram and WhatsApp.

November 2022 – Irish data protection commission (DPC) fined Meta $414 million for not protecting Facebook’s users’ data from scraping.

September 2022 – The Irish Data Protection Commission has fined Instagram €405 million for violations of the General Data Protection Regulation.

September 2021 – The Irish Data Protection Commission has fined WhatsApp €225 million over data sharing transparency for European Union users’ data with Facebook.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Facebook)

[adrotate banner=”5″]

[adrotate banner=”13″]

Google will pay $29.5M to settle two lawsuits over its location tracking practices

Google will pay $29.5 million to settle two different lawsuits in the US over its deceptive location tracking practices.

Google decided to pay $29.5 million to settle two different lawsuits brought by the states of Indiana and Washington, D.C., over its deceptive location tracking practices.

The IT giant will pay $9.5 million to D.C. and $20 million to Indiana after the states filed two lawsuits against the company charging it with having tracked users’ locations without their express consent.

“Given the vast level of tracking and surveillance that technology companies can embed into their widely used products, it is only fair that consumers be informed of how important user data, including information about their every move, is gathered, tracked, and utilized by these companies. Significantly, this resolution also provides users with the ability and choice to opt of being tracked, as well as restrict the manner in which user information may be shared with third parties,” said Attorney General Karl A. Racine while announcing that Google will pay $9.5 million. “I am proud of how the exceptional lawyers and professionals in my office have creatively applied the District’s strong consumer protection laws to set the standard nationally and provide users far greater control of their personal information.”

“We sued because Google made it nearly impossible for users to stop their location from being tracked. Now, thanks to this settlement, Google must also make clear to consumers how their location data is collected, stored, and used.” Racine added.

Google is currently facing two similar lawsuits in Texas and Washington.

In November, Google agreed to pay $391.5 million to settle with 40 US states for misleading users about the collection of personal location data. The settlement is the largest attorney general-led consumer privacy settlement ever, states the announcement published by DoJ.

“Google misled its users into thinking they had turned off location tracking in their account settings, when, in fact, Google continued to collect their location information. In addition to the multimillion-dollar settlement, as part of the negotiations with the AGs, Google has agreed to significantly improve its location tracking disclosures and user controls starting in 2023.” reads the DoJ’s press release.

Oregon Attorney General Ellen Rosenblum, who led the settlement along with Nebraska AG Doug Peterson, pointed out that for years Google has prioritized profit over their users’ privacy.

The authorities started the investigation into Google collection practice following a 2018 Associated Press article that revealed Google “records your movements even when you explicitly tell it not to.”

According to the article, there are two settings responsible for the location data collection, the “Location History” and “Web & App Activity”. The former is “off” by default while the latter is automatically enabled when users set up a Google account, including all Android users.

Location data represent the core of the digital advertising business of the IT giant. However, location data can be used to expose a person’s identity and routines, and even infer personal details.

Google violated state consumer protection laws by misleading consumers about its location tracking practices since at least 2014. Google confused its users about the use of the account and device settings to limit Google’s location tracking.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, privacy)

[adrotate banner=”5″]

[adrotate banner=”13″]

Facebook (Meta) to settle Cambridge Analytica data leak for $725M

Facebook (Meta) has agreed to pay $725 million to settle the class-action lawsuit filed in 2018 over the Cambridge Analytica data leak.

Facebook (Meta) has agreed to pay $725 million to settle a class-action lawsuit filed in 2018 over the Cambridge Analytica data leak.

According to Reuters, the lawyers for the plaintiffs defined the proposed settlement as the largest to ever be achieved in a U.S. data privacy class action.

“This historic settlement will provide meaningful relief to the class in this complex and novel privacy case,” the lead lawyers for the plaintiffs, Derek Loeser and Lesley Weaver, said in a joint statement.

The proposed settlement has to be approved by a federal judge in the San Francisco division of the U.S. District Court.

“Over the last three years we revamped our approach to privacy and implemented a comprehensive privacy program,” reads a statement issued by Meta.

In the Cambridge Analytica privacy scandal, the company allowed to access to the personal data of around 87 million Facebook users without their explicit consent.

The way Facebook managed user data violated a 2011 privacy settlement with the FTC. At the time, Facebook was accused of deceiving people about how the social network giant handled their data. An FTC settlement obliged the company to review its privacy practices. In 2019, Facebook agreed to pay a $5 Billion fine to settle the investigation conducted by the United States Federal Trade Commission (FTC) over the Cambridge Analytica scandal

In March 2018, it was publicly revealed that a team of academics had collected a huge amount of user data and shared the information with Cambridge Analytica, which was a commercial data analytics company that allegedly used it to target US voters in the 2016 Presidential election.

The researchers used an app developed by the University of Cambridge psychology lecturer Dr. Aleksandr Kogan to collect user data.

The app named “thisisyourdigitallife” is available to users since 2014, it was provided by Global Science Research (GSR) and asked users to take an online survey for $1 or $2. The app requested access to the user’s profile information, and over 270,000 users gave the app permission to use their personal details for academic research.

The app is a powerful tool to profile users by harvesting information on their network of contacts, its code allowed it to collect data from over 87 million users.

Back to the $725 million settlement, the Reuters reported that the plaintiffs plan to ask the judge to award them up to 25% of the settlement as attorneys’ fees, roughly $181 million.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Meta)

[adrotate banner=”5″]

[adrotate banner=”13″]

Facebook (Meta) to settle Cambridge Analytica data leak for $725M

Facebook (Meta) has agreed to pay $725 million to settle the class-action lawsuit filed in 2018 over the Cambridge Analytica data leak.

Facebook (Meta) has agreed to pay $725 million to settle a class-action lawsuit filed in 2018 over the Cambridge Analytica data leak.

According to Reuters, the lawyers for the plaintiffs defined the proposed settlement as the largest to ever be achieved in a U.S. data privacy class action.

“This historic settlement will provide meaningful relief to the class in this complex and novel privacy case,” the lead lawyers for the plaintiffs, Derek Loeser and Lesley Weaver, said in a joint statement.

The proposed settlement has to be approved by a federal judge in the San Francisco division of the U.S. District Court.

“Over the last three years we revamped our approach to privacy and implemented a comprehensive privacy program,” reads a statement issued by Meta.

In the Cambridge Analytica privacy scandal, the company allowed to access to the personal data of around 87 million Facebook users without their explicit consent.

The way Facebook managed user data violated a 2011 privacy settlement with the FTC. At the time, Facebook was accused of deceiving people about how the social network giant handled their data. An FTC settlement obliged the company to review its privacy practices. In 2019, Facebook agreed to pay a $5 Billion fine to settle the investigation conducted by the United States Federal Trade Commission (FTC) over the Cambridge Analytica scandal

In March 2018, it was publicly revealed that a team of academics had collected a huge amount of user data and shared the information with Cambridge Analytica, which was a commercial data analytics company that allegedly used it to target US voters in the 2016 Presidential election.

The researchers used an app developed by the University of Cambridge psychology lecturer Dr. Aleksandr Kogan to collect user data.

The app named “thisisyourdigitallife” is available to users since 2014, it was provided by Global Science Research (GSR) and asked users to take an online survey for $1 or $2. The app requested access to the user’s profile information, and over 270,000 users gave the app permission to use their personal details for academic research.

The app is a powerful tool to profile users by harvesting information on their network of contacts, its code allowed it to collect data from over 87 million users.

Back to the $725 million settlement, the Reuters reported that the plaintiffs plan to ask the judge to award them up to 25% of the settlement as attorneys’ fees, roughly $181 million.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Meta)

[adrotate banner=”5″]

[adrotate banner=”13″]

Irish data protection commission fines Meta over 2021 data-scraping leak

Irish data protection commission (DPC) fined Meta for not protecting Facebook’s users’ data from scraping.

Meta has been fined €265 million ($275.5 million) by the Irish data protection commission (DPC) for the data leak suffered by Facebook in 2021 that exposed the data belonging to millions of Facebook users.

The Data Protection Commission is also imposing a range of corrective measures on Meta.

“The Data Protection Commission (DPC) has today announced the conclusion to an inquiry into Meta Platforms Ireland Limited (MPIL), data controller of the “Facebook” social media network, imposing a fine of €265 million and a range of corrective measures.” reads the DPC’s press release.

On April 3rd, 2021, a user leaked the phone numbers and personal data of 533 million Facebook users in a hacking forum for free online.

The availability of the data was first reported by Alon Gal, CTO of cyber intelligence firm Hudson Rock.

The data of Facebook users from 106 countries were available for free, with over 32 million records belonging to users from the US, 11 from the UK, and 6 million users from India. Leaked data included users’ phone numbers, Facebook IDs, full names, locations, birthdates, bios, and for some accounts the associated email addresses.

Immediately after the disclosures of the data leak the Irish DPC launched an investigation of potential GDPR violations by Meta. The data were amassed by threat actors by exploiting a vulnerability fixed in 2019 that allowed data scraping from the social network.

“The company, at the time known as Facebook, said the data had been gathered by what it said were malicious actors who misused a Facebook tool called “Contact Importer” to upload a large volume of phone numbers to see which ones matched the service’s users.” reported the WSJ. “On Monday, the company reiterated that it had removed the ability to use phone numbers to scrape its services in this way in 2019.”

Now DPC concluded the investigation and argued that Meta violated the GDPR for not implementing appropriate technical and organizational measures, and not adopting the necessary safeguards as required by the European Regulation.

“The decision, which was adopted on Friday, 25 November 2022, records findings of infringement of Articles 25(1) and 25(2) GDPR. The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.” continues the press release.

Meta declared that it has made multiple changes to better safeguard users’ data since the incident took place. The Iris privacy regulator revealed it has several dozen more ongoing cases involving multiple tech giants.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Meta)

[adrotate banner=”5″]

[adrotate banner=”13″]

NIST published updated guidance for supply chain risks

The National Institute of Standards and Technology (NIST) has released updated guidance for defending against supply-chain attacks.

The National Institute of Standards and Technology (NIST) has released updated guidance for defending against supply chain attacks.

NIST has published the “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations” in response to the Executive Order 14028: Improving the Nation’s Cybersecurity.

“The purpose of this publication is to provide guidance to enterprises on how to identify, assess, select, and implement risk management processes and mitigating controls across the enterprise to help manage cybersecurity risks throughout the supply chain.” reads the Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.

The guidance details the risks at all levels of the organizations, it provides information about major security controls and practices that organizations should adopt to identify, assess, and respond to these threats.

“Managing the cybersecurity of the supply chain is a need that is here to stay,” wrote NIST’s Jon Boyens, one of the publication’s authors. “If your agency or organization hasn’t started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately.”

The experts highlighted the importance of the security of supply chain for modern products and services. A devices may have been designed in one country and its components could be manufactured across multiple countries worldwide. This might result in a dramatic enlargement of the surface of attacks for organizations worldwide.

A security incident suffered by one of the companies producing these components could have a significant impact on the overall product and service.

“A manufacturer might experience a supply disruption for critical manufacturing components due to a ransomware attack at one of its suppliers, or a retail chain might experience a data breach because the company that maintains its air conditioning systems has access to the store’s data sharing portal,” Boyens added.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, NIST)

[adrotate banner=”5″]

[adrotate banner=”13″]

FTC warns legal action against businesses who fail to mitigate Log4J attacks

The US Federal Trade Commission (FTC) has warned legal action against companies who fail to secure their infrastructure against Log4Shell attacks.

The US Federal Trade Commission (FTC) warns legal action against companies who protect their systems against Log4Shell (CVE-2021-44228) attacks.

The move aims at urging organizations in protecting their infrastructure while both nation-state actors and cybercriminals are exploiting Log4J flaws in their campaigns.

“When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms. The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.” reads the announcement published by the US FTC.

“The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future. ”

The US Agency urges organizations to conduct an assessment of their infrastructure checking for Log4J vulnerabilities, it also recommends consulting the Cybersecurity and Infrastructure Security Agency (CISA)’s Apache Log4j Vulnerability Guidance.

FTC also recommends:

  • Update your Log4j software package to the most current version found here: https://logging.apache.org/log4j/2.x/security.html(link is external)  
  • Consult CISA guidance to mitigate this vulnerability.   
  • Ensure remedial steps are taken to ensure that your company’s practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act. 
  • Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable. 

Recently CISA issued an emergency directive that ordered US Federal Civilian Executive Branch agencies to patch the Log4Shell bug until December 23. The deadline to report systems impacted by the Log4Shell flaw was postponed to December 28.

CISA set up a page dedicated to Log4Shell vulnerabilities and released a Log4j scanner to identify web services affected by Apache Log4j flaws

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

[adrotate banner=”5″]

[adrotate banner=”13″]