Australian governments and businesses have been warned they face their greatest hacking threat yet, Apache Log4j. John Stapleton reports on Australian Cyber Security Centre warnings of possible widespread systems failure.
There has always been a dystopian theory that in historical terms the internet was just a prelude to another Dark Age, that the remarkable connectivity we now all enjoy was little more than an illusion which could not last. The internet was so vast, complex and infested with bad actors it would inevitably collapse.
That is the era we are now entering. Whether it is old age pensions or car registration, Australians and their governments rely utterly on computers, and as developments over the past month have illustrated, these systems are extremely vulnerable.
The devil child of the moment, if you want to call it that, is the very technically named Log4j computer vulnerability, which has left governments and corporations world wide open to attack and scrambling to patch, or repair, their systems. It is being called the biggest cyber security breach in history.
With the news bandwidth consumed by Omicron and the public immured to cyber scare stories, the scale of the recent Log4j story and the implications it has for the secure operation of government services and infrastructure is only just becoming more broadly understood.
A worse worse-case-scenario
News of the threat, a flaw in a ubiquitous piece of software called Apache Log4j, spread like wildfire through the industry after it became public knowledge on 10 December.
In a worst case scenario, the flaw could, for example, lead to the collapse of the Centrelink payment system. Such an eventuality, now regarded as a real possibility, would lead to social chaos across the country within weeks as millions of welfare recipients already living on the breadline struggled to feed themselves and their children.
From Defence to Health, these types of disaster scenarios are now beginning to fester in the minds of security experts.
There are widespread calls for change, from the urgency with which Australia’s public service mandarins deal with cyber security issues right through to a line by line review of dated or out of service software still in use.
Alarmingly, the flaw allows hackers to remotely take over entire computer systems.
A large menu of targets
Of particular concern in the Australian context is the use by government departments of out of date or unsupported software which may make systems impossible to patch.
“Logging is a fundamental feature of most software, which makes Log4j very widespread,” writes Professor Santiago Torres-Arias at America’s Purdue University. “Hackers have a large menu of targets to choose from: home users, service providers, source code developers and even security researchers.
“A large number of hackers are already trying to abuse Log4Shell. These range from groups trying to mine bitcoin to hackers associated with China and North Korea trying to gain access to sensitive information from their geopolitical rivals.”
Security experts say entire departments and organisations could already have been infiltrated without security experts being able to identify the intruders.
The Australian Cyber Security Centre has issued a series of updates calling on all organisations in the country to check for vulnerabilities immediately.
Their public warning read in part: “The ACSC is aware of widespread scanning and reconnaissance activity against Australian organisations by malicious actors to identify the Log4j vulnerability. The ACSC has observed successful exploitation of the Log4j vulnerability and the compromise of systems and networks within Australia and globally, across all sectors of the economy.
“The ACSC is also aware of reporting that malicious cyber actors have patched Log4j on systems after exploitation and compromise to avoid detection by security teams.”
In technical terms the ACSC notes: “An observed string substitution obfuscation technique which seeks to obscure exploitation of the remote code execution vulnerability can cause an infinite recursion resulting in a denial of service condition in versions of Log4j between 2.8.0 and 2.16.0.”
In plain English, a malicious actor can remotely throw a software system totally out of kilter; for instance bringing a payroll system to a complete standstill.
That would leave almost as many unhappy public servants as welfare recipients.
There are many questions over whether vulnerabilities persist in the Australian government’s cyber systems.
Researcher at UNSW Professor Salil Kanhere puts it thus: “Software systems and web services are so complex, and so layered with dozens of stacked levels of abstraction, code running on code on code, that it could take months for all these services to update. It will likely take a long time, potentially even years till we can fully eliminate the effects of this vulnerability.
“Organisations need to understand that even if they have secured their infrastructure from exploitation against the Log4j vulnerability, it is highly possible and perhaps likely that many of these components were silently breached, and effectively hidden.
“It is thus imperative that organisations undertake extensive monitoring and assessment of their systems. It is important to be super vigilant.
“Attempts to leverage this vulnerability by malicious entities remain very high.”
While there have been initial patches made on vulnerable government systems, attack vectors may well remain open or have already been breached.
Experts fear a reliance on out of date or inadequately supported software means some government systems remain vulnerable.
The crisis comes after a long history in Australia of a clunky or plain difficult relationship between government bureaucrats and the IT industry generally.
Audit audit audit
While much happens beneath the surface, a recent widely reported and for the government embarrassing example of the use of outdated software was the Australian Defence Department still using Microsoft Windows XP long after it was out of support and therefore not being upgraded with security patches.
The slow moving nature of Australian bureaucracy and their traditionally fraught relationship with the IT industry makes securing these systems fraught with even more difficulty.
Industry experts can call all they like for the use of the latest software with constant updates, but these calls can fall on very stony ground.
The central issue in terms of the threat to government departments comes in its use in enterprise software; that is system wide software. These have many components and are not just written by the one vendor. This is the difficulty where Apache software is used as sub components and therefore patches are issued by the vendor which will include the Apache updates, but on their own cycle. This leaves a window of vulnerability until the patching is completed.
IT expert George Fong said there was only one solution to the current situation exposed by Log4K: “Audit, audit, audit.”
He is also calling for a complete transformation in the way government’s approach cyber security.
“Change is more often than not driven by a major and sometimes catastrophic failure rather than longer term transitional planning.
“In terms of the overall structure of governance over systems in the Federal Government, I’d be concerned, not just in respect of Log4j but generally in terms of the levels of audit and risk management. Many different departments, many different systems, many different administrative and governance structures.
“The Australian Government has long had a problem listening to industry, whether on metadata retention, encryption, or many other issues. They would do well to change this culture.”
Don’t forget to change your password
Laurie Patton, former Chief Executive of Internet Australia, said: “This government, in particular, refuses to accept advice from industry. The most glaring case is the NBN, where a host of broadband experts told it that using the old run-down Telstra copper network would be a disaster, as it has been.
“More recently there’s the COVIDSafe app. Within hours of its release a number of cryptographers had reverse-engineered it and found fundamental flaws. In a rare move Apple and Google came up with a solution but the Health Minister has simply ignored industry calls to fix the app.”
Experts uniformly warn that while Apache Log4j is getting all the attention right now, other threats could become equally pressing.
The security of the systems we have come to rely on so utterly are at risk. During the Covid era the Australian government has placed itself front and centre of every citizen’s life; and yet at no other time in history has its ability to deliver been more at risk.
As Professor Kenhare notes: “The original attack possessed severe risk to millions of consumer products, enterprise software and web applications. While many organisations have proactively applied the provided updates and patches, it is very likely that a non-trivial fraction are yet to be fully updated. So far, attackers have exploited the flaw to install crypto-miners on vulnerable systems, steal system credentials, burrow deeper within compromised networks, and steal data. But there is potential for other exploits that are not yet known.”
A spokesperson said while it would not provide details the Australian Cyber Security Centre was aware of malicious cyber actors conducting reconnaissance scans in Australia, and compromising Australian networks through the critical Log4j vulnerability.
Their latest advisory, issued on 7 January, is aimed at Company Directors and Boards. It warns: “Australian organisations are being targeted and compromised. A large number of Australian organisations use products or services which use the Log4j library. The vulnerability is a serious business risk and has the potential to significantly disrupt business operations, incur significant incident response costs, damage your organisation’s brand and reputation, and depending on the response of the Board, may be a cause of shareholder or regulatory action.”
The Defence Minister Peter Dutton has been approached for comment.
The question remains: Just how vulnerable are the Australian government systems. Have they already been breached?
John Stapleton worked as a staff reporter on The Sydney Morning Herald and The Australian for more than 20 years. His books include Thailand: Deadly Destination and Terror in Australia: Workers' Paradise Lost. Currently edits A Sense of Place Magazine.
30 years ago, history went under the hammer at Cockatoo Island when the contents of the former navel dockyard went up for sale. Many buyers got a bargain, but some conservation groups were disappointed.
First published in the Sydney Morning Herald on October 29, 1991.
The auctioneer’s voice echoes beneath the high ceilings while the dealers, the crafty old codgers and the simply curious mill among the banks of machines.
As the last dock workers look on sullenly, Cockatoo Island is going up for auction, with more than 5,000 lots for sale.
Much of the large machinery which belonged to the Commonwealth Government has been taken to shipbuilders in Western Australia.
Nearly everything else is for sale, with no reserve prices, including lathes, borers, overhead travelling cranes, office furniture, hundreds of metres of rope, a hydraulic chain-tester and pneumatic hoist.
One of the largest lathes in Australia, 12.2 metres long and weighing an estimated 150 tonnes, sold for $15,000, and its buyer, Mr Brian Hemsworth, of Australian Winch and Haulage Pty Ltd, estimated it would cost $300,000 to get it off the island and reassemble it at his Smithfield workshop.
But a new lathe would set him back more than $2 million.
Much of the machinery on offer is more than 30 years old.
Mr Bob Spark, manager of MD Machinery Pty Ltd, said the prices being paid for equipment were amazing considering its age and the cost of getting it off the island.
“It is the day before yesterday’s technology,” he said.
Many commented that the spirited bidding was an indication of the economy, because few firms could afford new equipment.
Auctioneer Mr Storm Jacklin said bidding had been stronger than anticipated, with about $1.4 million in sales.
*But Mr Stephen Davies, conservation director of the National Trust, said: “It seems crazy to be selling these things, many of the items which we know are significant, before you even know what you are going to be selling for. The whole way the sale has gone on threatens the integrity of the site.”
Industrial archaeologist Mr Carl Doring said he was very disappointed so much machinery was on sale.
“The list of equipment for sale contains a lot of items of likely historical significance,” he said. “To me the sale is too rushed.
“It is rather unfortunate that at a time when the Federal Government is trying to promote manufacturing productivity they themselves are dismantling one of our major engineering facilities.
“Cockatoo Island is also a site of industrial heritage which would go a long way towards increasing the public’s appreciation of work and the work ethic. We are abandoning our existing capacity to undertake major engineering work.”
Currently, Cockatoo Island is open to the public with a number of activities available as well as accommodation in the form of apartments and a campground. The island, a World Heritage Site, has also played host to the arts in the form of a number of festivals and exhibitions including the Biennale of Sydney and the Nick Cave–curated All Tomorrow’s Parties music festival. Next month will see a performance of the opera Carmen.
Julian Novitz, Swinburne University of Technology.
Email newsletters might be associated with the ghost towns of old personal email addresses for many: relentlessly accumulating unopened updates from organisations, stores and services signed up to and forgotten in the distant past. But over the last few years they have experienced a revival, with an increasing number of writers supplementing their income with paid newsletter subscriptions.
Most recently, Salman Rushdie’s decision to use the newsletter subscription service Substack to circulate his latest book has sparked conversation around this platform and its impact on the world of publishing.
What is Substack?
Launched in 2017, Substack allows writers to create newsletters and set up paid subscription tiers for them, offering readers a mixture of free and paywalled content in each edition.
Substack has thus encroached on the traditional territories of newspapers, magazines, the blogosphere – and now trade publishing. Though it is worth noting that until now it has been most enthusiastically adopted by journalists rather than authors.
Rather than monetising the service via advertising, Substack’s profits come from a percentage of paid subscriptions. Substack’s founders see the platform as a way of breaking from the ‘attention economy’ promoted by social media, allowing a space for more thoughtful and substantial writing that is funded directly by readers.
Rushdie’s decision to publish via Substack signals a surprising inroad into one of the areas associated with trade publishing – literary fiction – and certainly makes for a good news story. He is the first significant literary novelist to publish a substantial work of fiction via the platform and Rushdie himself talks jokingly about helping to kill off the print book with this move.
However, the novella that Rushdie is intending to serialise will almost certainly be available in a more conventional format at some point in the future, given all Substack writers retain full rights to their intellectual property.
Other experiments with digital self-publication by prominent fiction authors, such as Stephen King’s novella Riding the Bullet (first published independently as an eBook), and the fiction first generated on Twitter by writers like David Mitchell and Neil Gaiman, have made their way to traditional publishers.
While this movement provides excellent publicity for Rushdie and the Substack service, it’s perhaps better understood as a limited term platform exclusivity deal than as a radical disruption of the literary publishing ecosystem.
Potentially more interesting is what the “acquisition” of Rushdie by Substack illustrates about their operation as a digital service. Throughout its history, Substack has offered advances to promising writers to support them while they cultivate a subscriber base.
This practice has now been formalised as Substack Pro, where selected writers, like Rushdie himself, are paid a substantial upfront fee to produce content, which Substack recoups by taking a higher percentage of their subscription fees for their first year of writing.
The exact sums paid vary between writers, but it is not dissimilar to a traditional advance on royalties. When coupled with some of the other services that are available to writers with paid subscriptions – like a legal fund and financial support for the editing, design, and production of newsletters – Substack can be seen as operating in a grey area between publisher and platform.
They pursue promising and high-profile writers, generate income, and provide services in ways that parallel the operations of trade publishers, but do not claim rights or responsibilities in relation to the content that is produced.
Although Substack do not see themselves as commissioning writers it could be argued they do play an editorial role in curating content on their platform through not terribly transparent Substack Pro deals and incentives.
The evolution of Substack
Recently Jude Doyle, a trans critic and novelist, has abandoned the platform. They note the irony of how profits generated by the often marginalised or subcultural writers who built paid subscriber bases in the early days of Substack are now being used to fund the much more lucrative deals offered to high-profile right-wing writers, who have in some cases exploited Substack’s weak moderation policy to spread anti-trans rhetoric and encourage harassment.
It could be argued Substack Pro is evolving into an inversion of the traditional (if somewhat idealised) publishing model, where a small number of profitable authors would subsidise the emergence of new writers. Instead, on Substack, profits generated from the work of large numbers of side-hustling writers are used to draw more established voices to the platform.
The founders of Substack have been unapologetic about their policies, considering the “unsubscribe” button to be the ultimate moderation tool for their users. They do, however, acknowledge Substack’s free-market approach may not appeal to all and anticipate competition from alternatives.
Ghost already exists as a non-profit newsletter platform with a more active approach to moderation, and Facebook’s Bulletin provides a carefully curated newsletter service from commissioned writers.
At this stage, the use of newsletters for literary fiction is an experiment, and it remains to be seen if it will be sustainable. As Rushdie puts it: “It will either turn out to be something wonderful and enjoyable, or it won’t.”