Fallout from bash and shellshock: You might feel this for years
By
The latest Internet security bug could allow attackers to take control of millions of computers and devices and reverberate for years.
Security researchers revealed the vulnerability - called 'shellshock' and the 'bash bug,' after the afflicted software - this week and say up to half of web servers could be at risk.
The bug allows an intruder to tell the computer's command center what to do on Unix-based operating systems like Linux and Mac OS X, which run on a large portion of connected devices.
See WSJ story: Google and Amazon respond to shellshock security flaw
'You can take control of the system and do virtually anything from there. You can steal information from people.You can display different information to people. You can steal passwords,' says Josh Bressers, manager of the security response team at Red Hat, a software company that is working to fix the bug. 'The imagination of the bad guys is the limit.'
A high-end Scotch for just $25,000
If you're looking for a bottle of high-end Scotch, here's one that comes with a five-digit price tag.
Stéphane Chazelas, the security expert who discovered shellshock, says the flaw has been around for more than 20 years and it's difficult to determine the scope of the problem because the way attackers could exploit it varies for each device. Multiple experts said it appears the bug has yet to be abused. The Department of Homeland Security rates the bug a 10 out of 10, given how easily hackers could take advantage of the hole and produce big risks.
The flaw draws a giant red circle around the so-called Internet of Things. Making everyday devices smarter by wiring them to send and receive data - for example, so your refrigerator can keep a running grocery list - is convenient. Having to figure out when to update the software for all those things? That could be a nightmare.
'I'll bet that Internet-connected toothbrush is running on Linux. How do you patch your toothbrush?' says Christopher Budd, global threat communications manager at the security company Trend Micro.
Years from now, hackers could still find these kinds of devices - ones that still have the security hole and were never patched because nobody realized they need to update the software on their camera or air conditioning unit. Also see: 4 smart-home gadgets you don't want hacked
The shellshock isn't something consumers can contain themselves. It's up to the people who maintain web servers to plug the hole. Google and Amazon addressed the issue Thursday. While waiting for companies to issue more security updates, 'you can also panic and just run around in circles and wave your arms and scream,' says Robert Graham, owner of Atlanta-based Errata Security. For people those wish to be more proactive, other security experts offered a few tips:
Also see: 5 rules for using the Internet after Heartbleed
Download security updates. Mac computers may include the flawed code and should immediately apply security patches Apple puts out.
Look for notifications from service providers that may have been hacked. Criminals are likely racing to exploit the vulnerability as companies work to shellshock-proof their systems, which means an organization 'may have been hacked if they have not been fast enough to apply the patches,' Chazelas, who is credited with discovering the bug, says.
Change your password if someone tells you to. If a company tells you its been hacked through this bug and users to create a new password, do it, Chazelas says. This seems like obvious advice, but a major Internet security problem revealed last spring offered evidence that people don't always do it, despite doomsday warnings.
Post a Comment for "Fallout from bash and shellshock: You might feel this for years"