xper Posted September 26, 2014 Share Posted September 26, 2014 A computer bug which could allow hackers to take control of hundreds of millions of devices all over the world has been discovered, forcing governments to take immediate steps to protect their critical infrastructure. The security flaw, dubbed “Shellshock”, was found inside a piece of software called Bash, which is used by Apple’s Mac operating system as well as Linux systems and internet servers relied upon by governments, banks and the military. Last night, cyber-security experts suggested that people should stop using their credit cards for online purchases until a solution to the bug, which has existed for more than 20 years, is found and distributed. The UK’s national cyber-security response team, Cert-UK, has issued an alert to all government departments stating that the Shellshock flaw carried the “highest possible threat ratings… for both impact and exploitability”. The US National Cyber Security Division gave it a score of 10 out of 10 for severity and a complexity rating of low – meaning it is easy for hackers to exploit. Cert-UK added that it should be “assumed” that many government computers and other devices would be vulnerable to the bug, adding: “This will inevitably include organisations that are part of the critical national infrastructure.” Many industrial control systems, from power plants to traffic light systems, rely on Bash software to function. http://www.independent.co.uk/life-style/gadgets-and-tech/news/shellshock-virus-panic-at-worst-ever-computer-bug-sees-governments-race-to-protect-critical-infrastructure-9756819.htmlhttps://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ Link to comment Share on other sites More sharing options...
jaclaz Posted September 26, 2014 Share Posted September 26, 2014 Some more data:http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html jaclaz Link to comment Share on other sites More sharing options...
Tripredacus Posted September 26, 2014 Share Posted September 26, 2014 We are also looking at consumer products being vulnerable to this including routers and potentially consoles like Playstation or Ouya. Link to comment Share on other sites More sharing options...
jaclaz Posted September 26, 2014 Share Posted September 26, 2014 We are also looking at consumer products being vulnerable to this including routers and potentially consoles like Playstation or Ouya.And light bulbs. Same mentioned article (go to the original to get the other links):http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html Are our “things” affected? This is where it gets interesting – we have a lot of “things” potentially running Bash. Of course when I use this term I’m referring to the “Internet of Things” (IoT) which is the increasing prevalence of whacking an IP address and a wireless adaptor into everything from our cutlery to our door locks to our light globes.Many IoT devices run embedded Linux distributions with Bash. These very same devices have already been shown to demonstrate serious security vulnerabilities in other areas, for example LIFX light globes just a couple of months ago were found to be leaking wifi credentials. Whilst not a Bash vulnerability like Shellshock, it shows us that by connecting our things we’re entering a whole new world of vulnerabilities in places that were never at risk before.This brings with it many new challenges; for example, who is actively thinking they should regularly patch their light bulbs? Also consider the longevity of the devices this software is appearing in and whether they’re actually actively maintained. In a case like the vulnerable Trendnet cameras from a couple of years ago, there are undoubtedly a huge number of them still sitting on the web because in terms of patching, they’re pretty much a “set and forget” proposition. In fact in that case there’s an entire Twitter account dedicated to broadcasting the images it has captured of unsuspecting owners of vulnerable versions. It’s a big problem with no easy fixes and its going to stick with us for a very long time.But Bash shells are also present in many more common devices, for example our home routers which are generally internet-facing. Remember when you last patched the firmware on your router? Ok, if you’re reading this then maybe you’re the type of technical person who actually does patch their router, but put yourself in the shoes of Average Joe Consumer and ask yourself that again. Exactly. This is specific to LFIX light bulbs AND it is about another vulnerability, but the point made remains (potentially) valid:http://www.smh.com.au/digital-life/consumer-security/security-vulnerability-found-in-lifx-smart-light-bulbs-exposes-home-wifi-passwords-20140709-zt12p.htmljaclaz Link to comment Share on other sites More sharing options...
Tripredacus Posted September 26, 2014 Share Posted September 26, 2014 Fortunately, I don't think I have any OSes installed in my lightbulbs. Link to comment Share on other sites More sharing options...
dencorso Posted September 26, 2014 Share Posted September 26, 2014 So much for linux machines and Macs being safer and virus-proof... Link to comment Share on other sites More sharing options...
jaclaz Posted September 26, 2014 Share Posted September 26, 2014 (edited) So much for linux machines and Macs being safer and virus-proof...Well, to be fair, there is as always a bit of hype . The MAC's seemingly have NOT BASH enabled by default (and it is rare to find MACs hosting an http server with CGI and/or PHP). The "corporate" Linux servers, on the other hand, tend to have other means/layers of protection, and at least judging from the effects of the test scanning a nice chap did:http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.htmlthey are pretty much "safe". Detectify has put a simple online test:https://shellshock.detectify.com/ What are really "at risk" are IMHO more the less/badly maintained (or "fake" Open Source) little Linux devices (where the vulnerability may be present BUT NOT most of them as seemingly busybox is not affected) :https://www.nccgroup.com/en/blog/2014/09/shellshock-bash-vulnerability/ but more than that "home made" servers put together by the "half technical" good guys (technical enough to put together such a system, but not enough to secure it effectively) and devices that use a "more sophisticated" environment than busybox. In any case, the vulnerability is a rather serious one in theory, but in practice the actual effects (if any) seem like being much more limited than what initially hypothesized as, besides the BASH vulnerability it seems like there must be a number of concurrent factors to make the exploit actually have some impact. https://community.rapid7.com/community/infosec/blog/2014/09/25/bash-ing-into-your-network-investigating-cve-2014-6271 jaclaz Edited September 26, 2014 by jaclaz Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now