Log in
Register
Cyber Forum
More options
Toggle width
Share this page
Share this page
Share
Share
Cyber Forum
Log in
Register
More options
Toggle width
Share this page
Share this page
Share
Share
Menu
Install the app
Install
Home
CyberWeekly Podcast
Breaking News! Podcast
Cyber Risk Rating
Forums
New posts
Forum list
Trending
Leaderboards
News Feeds
Resources
Latest reviews
Sophos X-Ops Intelix
Threat Reports
Members
Current visitors
My.CompTIA
Help Documents
Preference Center
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="Jonathan Braley" data-source="post: 2596" data-attributes="member: 77"><p>FTC to fine companies who fail to take reasonable steps to protect customer data from Log4Shell</p><p></p><p><strong>Summary</strong>:</p><p>“The US Federal Trade Commission (FTC) has warned today that it will go after any US company that fails to protect its customers' data against ongoing Log4J attacks."The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future," the US government agency said” (<a href="https://www.bleepingcomputer.com/news/security/ftc-warns-companies-to-secure-consumer-data-from-log4j-attacks/" target="_blank">Bleeping Computer, 2022</a>).</p><p></p><p>The FTC is asking organizations to take reasonable steps to mitigate known software vulnerabilities. They are leveraging the Federal Trade Commission Act and the Gramm Leach Bliley Act to enforce these requirements. "It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action” (<a href="https://www.bleepingcomputer.com/news/security/ftc-warns-companies-to-secure-consumer-data-from-log4j-attacks/" target="_blank">Bleeping Computer, 2022</a>).</p><p></p><p>The FTC advises companies to follow CISA's guidance on mitigating the Log4j flaws and:</p><ul> <li data-xf-list-type="ul">Update your Log4j software package to the most current version found here: <a href="https://logging.apache.org/log4j/2.x/security.html" target="_blank">https://logging.apache.org/log4j/2.x/security.html</a></li> <li data-xf-list-type="ul">Consult CISA guidance to mitigate this vulnerability.</li> <li data-xf-list-type="ul">Ensure remedial steps are taken to ensure that your company's practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act.</li> <li data-xf-list-type="ul">Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable.</li> <li data-xf-list-type="ul">Under active exploitation since early December</li> </ul><p><strong>Analyst Comments:</strong></p><p>“The warning follows an emergency directive issued by CISA that ordered US Federal Civilian Executive Branch agencies to patch the actively exploited Log4Shell bug until December 23. Federal agencies were also given five more days until December 28 to report Log4Shell-impacted products in their environments, including app and vendor names, the apps' versions, as well as the actions taken to block attack attempts’ (<a href="https://www.bleepingcomputer.com/news/security/ftc-warns-companies-to-secure-consumer-data-from-log4j-attacks/" target="_blank">Bleeping Computer, 2022</a>).</p><p></p><p>CISA provides a dedicated page for the Log4Shell flaws with patching information and has released a Log4j scanner to find vulnerable Java-based apps.</p><p></p><p>NCSC Scanning Tools: <a href="https://github.com/NCSC-NL/log4shell/blob/main/scanning/README.md" target="_blank">https://github.com/NCSC-NL/log4shell/blob/main/scanning/README.md</a></p><p></p><p><strong>Source</strong>:</p><p><a href="https://www.bleepingcomputer.com/news/security/ftc-warns-companies-to-secure-consumer-data-from-log4j-attacks/" target="_blank">https://www.bleepingcomputer.com/ne...s-to-secure-consumer-data-from-log4j-attacks/</a></p></blockquote><p></p>
[QUOTE="Jonathan Braley, post: 2596, member: 77"] FTC to fine companies who fail to take reasonable steps to protect customer data from Log4Shell [B]Summary[/B]: “The US Federal Trade Commission (FTC) has warned today that it will go after any US company that fails to protect its customers' data against ongoing Log4J attacks."The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future," the US government agency said” ([URL='https://www.bleepingcomputer.com/news/security/ftc-warns-companies-to-secure-consumer-data-from-log4j-attacks/']Bleeping Computer, 2022[/URL]). The FTC is asking organizations to take reasonable steps to mitigate known software vulnerabilities. They are leveraging the Federal Trade Commission Act and the Gramm Leach Bliley Act to enforce these requirements. "It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action” ([URL='https://www.bleepingcomputer.com/news/security/ftc-warns-companies-to-secure-consumer-data-from-log4j-attacks/']Bleeping Computer, 2022[/URL]). The FTC advises companies to follow CISA's guidance on mitigating the Log4j flaws and: [LIST] [*]Update your Log4j software package to the most current version found here: [URL]https://logging.apache.org/log4j/2.x/security.html[/URL] [*]Consult CISA guidance to mitigate this vulnerability. [*]Ensure remedial steps are taken to ensure that your company's practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act. [*]Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable. [*]Under active exploitation since early December [/LIST] [B]Analyst Comments:[/B] “The warning follows an emergency directive issued by CISA that ordered US Federal Civilian Executive Branch agencies to patch the actively exploited Log4Shell bug until December 23. Federal agencies were also given five more days until December 28 to report Log4Shell-impacted products in their environments, including app and vendor names, the apps' versions, as well as the actions taken to block attack attempts’ ([URL='https://www.bleepingcomputer.com/news/security/ftc-warns-companies-to-secure-consumer-data-from-log4j-attacks/']Bleeping Computer, 2022[/URL]). CISA provides a dedicated page for the Log4Shell flaws with patching information and has released a Log4j scanner to find vulnerable Java-based apps. NCSC Scanning Tools: [URL]https://github.com/NCSC-NL/log4shell/blob/main/scanning/README.md[/URL] [B]Source[/B]: [URL='https://www.bleepingcomputer.com/news/security/ftc-warns-companies-to-secure-consumer-data-from-log4j-attacks/']https://www.bleepingcomputer.com/ne...s-to-secure-consumer-data-from-log4j-attacks/[/URL] [/QUOTE]
Name
Verification
Post reply
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
Top
Bottom
Home
Forums
Threat Reports
My.CompTIA
Menu