ADMT & Employment
Hello all, and thanks for reading today.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: August 24, 2023
Published: December 17, 2021
This week, the Department of Homeland Security ordered federal agencies to “urgently eliminate” a security bug that impacted an unknowable number of entities.
As TIME reported, top U.S. cybersecurity defense official, Jen Easterly, deemed the flaw “one of the most serious I’ve seen in my entire career, if not the most serious," in a call with authorities. "Publicly disclosed last Thursday, it’s catnip for cybercriminals and digital spies because it allows easy, password-free entry.”
Okay, but what does that all mean? I wanted to find out. Partly because I was interested and partly because I can't stand feeling like I'm not tech-savvy enough to be part of the conversation. So I asked Osano's CTO, Scott Hertel, to explain it to me like he was explaining it to his kids. Here's what I found out based on that conversation and recent media reports.
What is Log4j?
In industry speak, Log4j is an open-source logging tool. If that means nothing to you: Same. So I asked around. What it means in laymen’s terms is that Log4j is a tool web developers use to get reports, in text files, of what’s happening with their code. It’s the most widely used tool for “debugging,” or fixing, issues that show up in the code developers are writing.
Think about Log4j reports as journal entries for web developers. Sometimes, the logs are just recording entries. Sometimes, those logs tell you there are red flags in that journal entry.
Often, Log4j is the roadmap to where the problems exist.
Why did Log4j make news this week?
Okay, so every developer basically uses Log4j. On Dec. 10, New Zealand’s cyber-security incident reporting site reported that the Log4j vulnerability was being exploited. “Reports from online users show that this is being actively exploited in the wild and that proof-of-concept code has been published.”
What the heck does that mean? Log4j had been hacked. And unless any web developers using Log4j updated their software to the “patched” – that means “fixed,” in developer speak – their systems were at risk. Otherwise, malicious actors could gain external control of a computer’s system. As Osano Chief Technology Officer Scott Hertel explained to me, the Log4j vulnerability was like “lowering the drawbridge to the castle.” Hackers that wanted to exploit the vulnerability could get inside if they acted quickly before organizations made the appropriate “patches.”
“To exploit Log4Shell, an attacker only needs to get the system to log a strategically crafted string of code,” WIRED reported. “From there they can load arbitrary code on the targeted server and install malware or launch other attacks.”
Here’s what it’s a bit scary, still
It’s hard to know how many sites were affected by the Log4j. It’s such a pervasive tool that chances are any given developer might be running Log4j without knowing it’s within their infrastructure.
The repercussions are still to be seen.
As WIRED reported, “What is almost certain is that for years people will be discovering the long tail of new vulnerable software as they think of new places to put exploit strings,” said independent security researcher Chris Frohoff. “This will probably be showing up in assessments and penetration tests of custom enterprise apps for a long time.”
Security experts say the best thing to do is patch the vulnerability. If you have “an internet-facing server” that’s vulnerable to the Log4j, “you almost certainly have an incident response on your hands.”
So make sure your company investigates where it might be using Log4j, and get patching! In the meantime, here's the week's big news. Happy holidays!
Log4j, the vulnerability that panicked an entire industry this week
Security professionals say it's one of the worst computer vulnerabilities they've ever seen, the AP reports. The Department of Homeland Security told federal agencies to immediately fix the security bug because "it's so easily exploitable." The utility, Log4j, is one of the most widely used developer tools, and the vulnerability allows hackers to "easily seize control of everything from industrial control systems to web servers and consumer electronics."
Apple privacy changes incite Polish regulatory investigation
Apple is facing in an investigation in Poland over whether its new rules on privacy and personal data processing for iOS devices violate competition law, Reuters reports. Following Apple’s update to its operating system, users can now opt out of being tracked by digital advertisers. But the Polish anti-monopoly regulator said the update hurt third-party apps by limiting their abilities to obtain personal data to send ads. The Polish regulator is concerned Apple’s actions may be a “case of exclusionary abuse of market power.”
Read Story
Norway fines Grindr $7M for violating the GDPR
Norway’s privacy authority has fined dating app Grindr 64 million kroner ($7.6 million) for sending sensitive personal data to hundreds of potential advertising partners without user consent, the New York Post reports. It’s the Norwegian Data Protection Authority’s highest fine to date. Grindr said the ruling, which alleges the company violated the EU’s GDPR, is based on consent policies from years back, not its current practices. It will appeal the fine.
Read Story
FTC may consider rule to limit commercial surveillance
The U.S. Federal Trade Commission is considering creating a rule aimed at digital platforms that track their users or allow others to do so. The FTC submitted the “Trade Regulation Rule on Commercial Surveillance” to the Office of Management and budget on its potential upcoming regulatory actions, TechCrunch reports. The rule would “curb lax security practices, limit privacy abuses and ensure that algorithmic decision-making does not result in unlawful discrimination,” the report states.
Read Story
How to prepare for the CPRA: California’s incoming privacy law
The California Privacy Rights Act (CPRA) of 2020 will replace the California Consumer Privacy Act (CCPA) of 2018. Many organizations will need to make some adjustments to data processing and sharing based on the new requirements. In this webinar, learn from Hogan Lovells’ Julian Flamant, Hintze Law’s Jevan Hutson and Osano’s Catherine Dawson about the changes to come on Jan. 1, 2023, and why you need to make changes much sooner than that.
Watch Webinar
French data protection authority demands Clearview stop collecting faces
The French data protection authority (CNIL) has ordered Clearview AI, a facial recognition company, to stop amassing and using data from French people, Reuters reports. This week, the CNIL made a “formal demand” and said the company’s collection of publicly-available facial images on social media and the internet had no legal basis and therefore breached the EU GDPR. Clearview AI denies it breached the law, saying it doesn’t have any customers in France or the EU.
Read Story
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.