Shellshock: Threat of the Week
The Shellshock bug has been found in the application Bash, which is found in many versions of Linux, Unix and even some Apple operating systems.
The threat is that a wily hacker could detect the Bash vulnerability and seize control of that system.
In theory, it means credit union online banking could be seized by crooks. Ditto for the routers that many institutions use to get online.
Bash is a command line used in many operating systems. Its initial release was 1989; thus, it may be found on literally tens of millions of computers.
According to The Department of Homeland Security’s United States Computer Emergency Readiness Team, the following Linux, BSD and UNIX distributions are potentially affected:
- CentOS 5 through 7
- Mac OS X
- Red Hat Enterprise Linux 4 through 7
- Ubuntu 10.04 LTS, 12.04 LTS and 14.04 LTS
According to Kyle Kennedy, CTO at data focused company STEALTHbits Technologies, located in Hawthorne, N.J., not much skill is needed on the part of hackers seeking to exploit the Bash flaw.
“The method of exploiting this issue is quite simple – doesn’t require sophisticated attack methodologies – essentially cutting and pasting a line of code can provide a hacker/cyber-criminal very good results with minimal effort,” he said.
Apple, for its part, issued a statement that unless a user has configured his/her computer to run advanced UNIX services it has no Bash vulnerability. Apple believes few have done so, although the company said it is working on a patch that will protect those users.
Patches also are in the works – some have been distributed – to offer protections to Unix and Linux users.
CUNA Mutual released a risk alert on Bash for credit unions.
“Credit union IT staff should identify all devices with the affected operating systems. Patches should be installed as soon as they are made available by the vendors,” the alert read.
Don Jackson, director of threat intel at security company Phishlabs in Charleston, S.C., urged credit unions to contact vendors that provided them with public facing Internet tools, such as online banking, to check on the current security status and what patches are available.
Jackson, without diminishing the potential vulnerabilities involved with the Bash bug, nonetheless said, “the sky hasn’t fallen yet. If the sky were going to fall it would have already.”
Shellshock was revealed Sept. 24, and so far, successful attacks have been limited, he said.
“In practice, the potential impact will be low compared to what in theory could happen. Controls are already in place from past exploits. Many servers are hardened,” he said.
The Heartbleed bug, detected earlier this year, prompted many credit unions and their vendors to toughen security. Such actions, Jackson suggested, lessened today’s vulnerability.
Other security experts are less sanguine.
“We’re seeing mass scans against this vulnerability. Is someone telling me hackers aren’t trying to use it? More than likely, they weren’t unaware until it was announced; and as soon as they discovered the hole (as we did), they scoured aggressively for unpatched, vulnerable systems to attack,” Pierluigi Stella, CTO at security company Network Box USA, said.
“The amount of scans we’re witnessing doesn’t tell me that this is nothing. It tells me very clearly how very serious things are and that hackers are actively exploiting whatever they can find. Even Heartbleed wasn’t targeted as intensely by hackers,” he added.
An important difference between Heartbleed and Shellshock is that with Heartbleed, users were forced to change their online passwords. Shellshock requires system administrators to install patches.
Exactly how ugly Bash turns out to be is an open question. The answer will reveal itself in the next few weeks.
For now, however, the advice is unanimous: Identify vulnerable systems and patch them as soon as possible. Interrogate vendors about possible vulnerabilities and demand patches. Treat Bash as a serious threat because it is.