We posted this to our Internet Threat Center Wednesday with an update yesterday but I wanted to share what’s going on with this thing with a wider audience, because I think it’s important. Important from the standpoint of a clear trend developing in the cybercrime universe that should be troubling. Why? Read on and think IOT.
On Wednesday, September 24th, security geeks (like myself) discovered a vulnerability in the system software used in millions of computers that run on Unix or Linux, or MAC OS X. These include most servers, routers, Android phones, Mac computers, medical devices and even the computers that create bitcoins. Potentially, the entire universe of the “Internet of Things” (IOT) could be affected by this bug.
The bug is called “Shellshock” and it is potentially more serious and widespread than the Heartbleed bug discovered in April, though the two vulnerabilities are quite different in nature. Bash is a command shell — the thing you use to tell your computer what you want it to do.
While Heartbleed exposed passwords and other sensitive data to hackers, Bash Bug lets outsiders take control of the affected device to install programs or run commands. Bash Bug is rated 10 on a 10-point scale for its impact and ease of exploitability by the Common Vulnerability Scoring System, an industry standard for assessing how bad security flaws are. Heartbleed is rated 5.
Systems running power plants and municipal water systems could be affected by the bug, though security experts already recommend that these systems remain disconnected from the Internet so they are not open to such risks.
Everyday users can’t do much right now, except to wait for manufacturers to release fixes for the particular product. Companies are already releasing patches that correct the flaw, so we recommend applying the patches for routers, Macs and other devices as they come out.
But that might be easier said than done. It will depend on who made the equipment and whether you get a fix at all. Even if a fix is developed, getting it could be another matter. I expect for example that this will probably be an issue with Android phones, because their manufacturers and carriers are often slow to push out the system updates that Google provides.
To mitigate this threat, web server administrators should make sure they have the latest version of Bash installed. For the everyday user, the patching process is described at several websites like StackExchange, but be warned — it does require a certain level of command line-level knowledge to be applied. We can also run vulnerability tests to determine if your system is vulnerable.
The best protection of course, is to run up-to-date security software on your devices and subscribe to a threat awareness site like our Internet Threat Center which you can find here at http://www.netswitch.net/internet-threat-center/ – good luck.