|Switch to German Version|
|Newsletter (PDF download - only german version)|
What the hack is Log4j?
Photo (Mati Mango from Pexels): LOG4J concerns system administrators worldwide
Java, isn't that an island in Indonesia or a type of coffee? In fact, Java is also a programming language. The name was probably chosen because programmers like to consume a lot of coffee. Log4j is the abbreviation for "Logging for Java". It is a small program that is supposed to help find errors in software written with Java. Unfortunately, this utility itself had a flaw that made it possible to hack Java programs such as web servers and cause great damage. Because this vulnerability was relatively easy to exploit, alarm bells were ringing in IT departments around the world at the end of December last year. A whole range of systems were affected, even at large companies like Tesla, Apple, Google or Amazon. The German Federal Office for Information Security (BSI) issued a red alert of the highest threat level.
In the ITS, the news that Log4j was a massive security problem brought great anxiety into the pre-Christmas period. Quick action was required. Partly on the weekend immediately after the vulnerability became known, numerous servers were checked by the responsible system administrators and attempts were made to close the security hole immediately. In a second step, possibly affected systems were checked to see if an attack had already been successful. Not least due to this quick action, major damage to the IT infrastructure of the University of Bayreuth could be averted, at least according to current knowledge.
A danger foreseen is half avoided?
Not quite, because in the coming weeks and months the responsible IT staff will have to be more attentive. The actual attacks may still come. No one can say with certainty whether this vulnerability has not already been discovered and exploited by hackers for some time. Such successful attackers first spy on the hacked systems to capture passwords or other sensitive information, or possibly install a backdoor or other malware. These accesses are then sold on the darknet and serve as the basis for further attacks in which, for example, all data on a computer is encrypted in order to extort a ransom or to spy on data on the server in order to use it for economic purposes. Such extortion attempts called ransomware or the tapping of data could also be carried out weeks or months after the initial infection from affected servers.
Is my computer also affected by Log4j?
The Log4j security vulnerability mainly concerns server programs. On normal PCs, such programmes are not actually installed or at least do not run as a server service that can be accessed from outside. Indirectly, however, users who simply use the services of a website could be affected. For example, because passwords are stolen there, with which the attackers then gain access to university user accounts. It is also conceivable that a hijacked server could be used to disguise malware as updates and distribute them to unsuspecting users.
What can end users do?
First and foremost, take the precautions that always apply. Always critically question e-mails that ask you to click on a certain link or to carry out a download. Also, keep the software installed on the computer up to date and use different passwords for the various logins to services such as Ebay, Amazon or other Internet platforms. These passwords should also not be identical to the password for work-related access. This reduces the risk that a hacked account will lead to several profiles of one user being affected at the same time. If you want to be on the safe side, you should change your passwords promptly. A combination of at least twelve digits, letters with upper and lower case letters and special characters is considered secure. A little tip is to use a mnemonic, where the first letter of the password is used as part of the password, e.g. "my new password 2022 - because of log 4 j" = "mnP2022- wl4j". Incidentally, ITS also offers a training video on the subject of password security on the Panopto server, which was produced as part of the Information Security Week in the summer semester of 2021.
Translated with www.DeepL.com/Translator (free version)
Fewer Zoom licences available
The university has decided not to extend the Zoom Campus licensing beyond March 2022. As a result, students and employees will no longer be able to use Zoom indefinitely. With the Zoom accounts that will continue to be available, meetings will then only be possible for a maximum of 40 minutes. Further information on the licence changeover of Zoom and its successor as the video conferencing tool MS-Teams can be found in the following FAQ:
With MS Teams, a more comprehensive, flexible alternative has long been available, which is why it is worth taking a closer look at Microsoft (MS) Teams and its possibilities.
Teams links all Office programmes with each other. You can share Word, Excel or PowerPoint documents via Teams, create and edit content together and communicate in real time. It is possible to create different teams (groups). Authorisations and participants are managed individually. Even people outside the University of Bayreuth can participate in a project via teams and gain access to data.
As a successor product to the well-known Skype, Teams enables video conferences and face-to-face communication, as well as virtual events and webinars with up to 300 participants. Similar to Zoom, participation in the conference can take place only via audio or also via mobile device, dial-in number and app.
With Messenger, it is possible to chat in a group or with an individual team member. Switch spontaneously to a call or share a screen. With the Teams app, which is available in the popular app stores, you can also chat on the go from your mobile phone.
MS Teams is free of charge for members of the University of Bayreuth. If you have any questions, please contact our colleagues at firstname.lastname@example.org.
Sustainable work (Guest article Green Campus)
In the last two years, everyday working life has changed fundamentally for a part of our society, as many people now work wholly or partly in a home office. In most cases, this saves CO2 emissions compared to the daily commute to the workplace. However, digital working also produces emissions through, for example, streaming or email traffic. However, these can be reduced in a simple way. In the following, we will show you practicable tips in 4 different areas with which we can make our digital work a little more sustainable in no time at all.
1. manage private email accounts consciously
"By 2025, the world's server centres will be responsible for one-fifth of global electricity consumption." (Source: Data Economy)
If you consciously manage your email inboxes and delete mails that you know you will never need again, this not only helps you keep track, but also contributes to reduced electricity consumption. This is mainly due to the fact that mails that are no longer needed are still stored on servers and are thus responsible for constant energy consumption as long as they are not permanently deleted. A tidy e-mail box can save energy in this way. It's easy to do this by unsubscribing from newsletters you don't need, turning off automatic mail notifications (e.g. from social media) and activating a function for the spam folder that automatically deletes emails after a short time. (Source: Bavarian Consumer Service)
2. prefer external storage media to the cloud
Analogous to email mailboxes, cloud-based storage servers also consume quite a bit of energy. Those who use external storage media such as hard drives to store private photos and videos can save constant energy consumption of the servers compared to the cloud. This means that no energy is needed when the data is not being used.
In this respect, it is particularly helpful if data is consciously managed in advance. This helps, for example:
- Switch off automatic saving of all received photos (consciously save photos).
- Switch off automatic synchronisation with the cloud (avoid unnecessary duplicates)
3. digital conferences
Even though digital meetings can save quite a bit of CO2 emissions compared to face-to-face meetings, they are still far from CO2-neutral. Video transmission in particular consumes a considerable amount. Greenspector calculates that the CO2 emissions of the most popular video conferencing tools are on average three times higher when the user adds video to the audio. Of course, it is always nicer to see each other at a meeting, as this also promotes the flow of conversation. It is therefore advisable to structure digital conferences well. The shorter and more concisely a virtual meeting is structured, the less data flows and correspondingly fewer CO2 emissions are produced. This also benefits the receptiveness. :) (Source: Greenspector)
4. search engines
Ecologically and socially compatible alternatives are not only available for electricity, but also for search engines. In the following, we present two such alternatives.
The search engine Gexsi functions like a social enterprise. Search queries generate income. This money is used to support projects that address the 17 Sustainable Development Goals. The Sustainable Development Goals (SDGs) of the United Nations are intended to ensure sustainable development on an economic, ecological and social level. Some of the goals are, for example, ensuring global food security, guaranteeing quality education or the conservation and sustainable use of the oceans, seas and marine resources (source: United Nations). A selection of the various projects supported is listed on the Gexsi website. By clicking on the projects, you get a short project description and can either read why the project was selected and/or which SDGs it addresses. (Source: Gexsi)
With the search engine Ecosia, 45 search queries finance a tree plantation. The revenue generated supports more than 20 tree planting projects in 15 countries (in South America, Africa and Asia). The trees are planted on site with the support of local farmers. In this way, not only is biodiversity and species diversity (through the trees) promoted or maintained, but the local people are also offered alternative forms of cultivation. According to Ecosia's own information, the electricity needed to operate the search engine is obtained sustainably - partly from its own photovoltaic systems. (Source: Ecosia)
- Data Economy: https://www.broad-group.com/data/news/documents/b1m2y6qlx5dv5t/data-centres-world-will-consume-1-5-earths-power-2025
- Ecosia: https://info.ecosia.org/what
- Gexsi: https://gexsi.com/about/
- Greenspector: https://greenspector.com/en/which-video-conferencing-mobile-application-to-reduce-your-impact-2021/
- Ökotest: https://www.oekotest.de/freizeit-technik/Eine-E-Mail-ist-genauso-klimaschaedlich-wie-eine-Plastiktuete_600843_1.html
- United Nations: https://sdgs.un.org/goals
Consumer Service Bavaria: https://www.verbraucherservice-bayern.de/presse/so-kommunizieren-sie-nachhaltig
Caution: Expensive emails in circulation
Fraudsters are always coming up with new scams. Currently, emails are circulating in which criminals pretend to be the boss. Under a pretext, you are asked to get voucher cards: STOP! At this point you should be alert.
These mails (image 1) do not contain any harmful elements. It merely pretends to come from your superior. The sender's email address "profchair@gmail. com" gives a first hint that it is a fake. Even if you reply to it because you are in a hurry and overlook the fake sender, nothing has happened yet. Most of the time, you will now receive another fake email (image2) pretending that your superior needs gift cards from well-known services such as Google or Amazon. It becomes critical when you send the numbers of the gift cards to the attackers. These codes are immediately exploited. And the financial damage remains.
So if you receive such or similar emails, please observe the following security measures:
- Check the sender's email address and compare it with the email address you know. Personal email addresses are usually assigned at the university in the following form: firstname.lastname@ uni-bayreuth.de.
- Be especially attentive when checking emails on your mobile phone or tablet.
- Ask the supposed sender by other means, e.g. by phone.
- Do not let yourself be pressured, even if you are in a hurry.
- If in doubt, contact information security (email@example.com).
Advance notice: The IT Security Week is scheduled to take place from 28 March to 01 April 2022. More detailed information will be available shortly on our homepage.
Senior Editor: Oliver Gschwender
Authors: Oliver Gschwender, Claudia Willer, Ralf Stöber,
GreenCampus Jennifer Pflügler
Foto: Mati Mango from Pexels
Further information on unsubscribing or subscribing to the newsletter