Latest posts by Alvin Bryan (see all)
- Millionaire Tyupkin Malware ATM Hackers May Come to US, India After Hitting Europe - October 23, 2014
- BitLicense Will Allow Bitcoin Spying in New York - October 22, 2014
- Australians are Fighting Data Retention Laws - October 22, 2014
Last Thursday, a new Internet security flaw was discovered in software that about half the world’s web servers use. Shellshock, also known as bash bug, is used to recruit the servers and networked computers into hacker botnets. Some say the shellshock bash bug is worse than Heartbleed. Internet users are helpless against it and it affects a potentially greater number of users. US-CERT has already issued an alert for all operating systems running Unix, such as Linux and Mac OS X.
Google and Amazon Respond First
Both Amazon and Google were quick to issue patches for the shellshock bash bug. Security researchers found the flaw last week, and these services issued fixes against the vulnerability on Thursday. The shellshock bash bug affects from 20 to 50% of web servers and can also affect software used by Apple devices.
What the shellshock bash bug does is manipulate computer code to permit attackers to control networked computer systems. The flaw is in Unix operating system code, which is used by OS X and up to half of website servers. Hackers can use the shellshock bash bug to execute commands on computer systems and control remote systems. This leaves many websites and computers open to hijacking. Viruses can then be freely uploaded through web servers and WiFi connections.
Google immediately checked its cloud services and internal servers and has patched the shellshock bash bug. Google security researcher Tavis Ormandy is not confident that the patches are complete. There was no further detail given regarding his Tweet. Veracode’s chief technology officer Chris Wysopal offered the advice however that some systems may still be open to exploits although the patch has been applied. The good news is that teams of security experts from different companies are working together to locate and patch vulnerable systems. They are also looking into additional preventive measures to help reduce the effectivity of shellshock bash bug attacks.
Amazon Web Services has advised users on what to do to lessen the chances that they will fall victim to the shellshock bash bug. Linux providers have also prepared patches, but Apple has yet to comment on the shellshock bash bug and issue a fix for OS X users. FireEye’s director of threat research Darien Kindlund calls the shellshock bash bug horrible. FireEye is the cybersecurity firm that estimated the impact of the shellshock bash bug. Patching every vulnerable computer and network is a big job, and it may be a while before consumers can breathe easy.
Shellshock Bash Bug is 34 Year Old Code
This is not a new flaw, experts say. The bash module was created in 1980. Linux-based software seller Red Hat explains that the shellshock bash bug may have been used before to gain control of computer systems. Websense CEO John McCormack concurs, adding that it is highly unlikely that governments most especially had no knowledge of the shellshock bash bug.
So far, there is no record of the shellshock bash bug being used for web server exploits in the past. Even so, the shellshock bash bug has a projected success rate of 100%. Because of this and the relative helplessness of consumers against the attack, users are warned to do all they can to defend themselves against it. The potential damage of the shellshock bash bug is too great to ignore, especially since it is so very easy to exploit. This comes from the vulnerability database of the Department of Homeland Security and Rapid7’s engineering manager Tod Beardsley.
Internet users need to be even more vigilant about checking for security updates from all the services and software that they use. Visiting unknown sites and using unverified WiFi networks is an absolute no-no. Microsoft commended security professional Troy Hunt has issued very helpful instructions for reconfiguring computer systems, but this is for the techies.
Shellshock Bash Bug is Worse Than Heartbleed
The shellshock bash bug comes just five months after the devastating Heartbleed bug. Heartbleed was a serious security flaw that caused most websites to leak data. It was even exploited by the NSA to boost their network spying activities. Almost half of American Internet users had to change their passwords on all the websites they used to prevent it from compromising their accounts. But experts are now saying that the shellshock bash bug is worse than Heartbleed.
According to security experts, Internet users do not have a lot of options to secure their data from the shellshock bash bug. It is very easy or hackers to use and has very severe consequences for users. Bash software controls the command prompt for most Unix computers. Hackers could exploit this Linux software bug to completely take over any targeted system without breaking a sweat.
Tod Beardsley, an engineering manager at cybersecurity firm Rapid7, warned the bug was rated a “10” for severity, meaning it has maximum impact, and rated “low” for complexity of exploitation, meaning it is relatively easy for hackers to launch attacks. The shellshock bash bug allows attackers to control user computers, not just spy on them. The shellshock bash bug is also so much easier to use than Heartbleed. Trail of Bits cybersecurity’s CEO Dan Guido explains the ease of use with a copy-paste analogy. The maximum impact shellshock bash bug is therefore usable by almost anyone who can access the code and has some tech knowledge of where to insert it.