Cyber-security experts predict that the latest Shellshock exploit could be much more damaging than Heartbleed

Heard of Bash? If not, make note. Bash has been found to contain a critical remotely-exploitable vulnerability which has been discovered in many Linux systems as well as Apple’s Mac operating system. Bash – which stands for Bourne-Again Shell – is a command prompt on many Unix computers. Unix is an operating system on which many others are built, such as Linux and Mac OS. The bug, dubbed Shellshock, can be used to remotely take control of almost any system using Bash, security experts have said, and has the potential to affect hundreds of millions of computers, servers and devices leaving them vulnerable to cyber-criminals.

So is the discovery of this latest flaw something we should all be worried about? Well, according to Professor Alan Woodward, a security researcher from the University of Surrey, this latest bug is deadly serious. What compounds his concerns is that, unlike Heartbleed which required a certain degree of hacker sophistications and know-how, carrying out cyber-attacks using this latest Shellshock bug is simple. Because of that it becomes impossible to say with any degree of certainty exactly who is at risk from the latest exploit. What’s more with Heartbleed hackers could only extract information; but with Bash hackers could execute commands and take over servers and systems:

“Whereas something like Heartbleed was all about sniffing what was going on, this [Shellshock] is about giving you direct access to the system. [That leaves] the door wide open.”

It is believed that approximately 500,000 machines worldwide were vulnerable to Heartbleed, but experts are warning that early signs indicate that Shellshock has the potential to hit 500 million machines, and that figure is considered by many to be a conservative estimate. Many servers are run using the Apache system; software which includes the Bash component.

The response to the latest crisis has been predictable, with the U.S. Computer Readiness Team (US-Cert) issuing warnings about the bug and advising administrators to apply patches as soon as possible. In the UK government’s cyber-security response team issued an alert to its agencies and departments advising them to give Shellshock the highest possible threat ratings. However, security experts have warned that many of these patches are incomplete and believe they would not be capable of fully securing systems.

Is there any evidence that hackers are already using this new vulnerability for malicious purposes? Well, researchers at Kaspersky Labs and Alien Vault certainly seem to think so. So far a number of attacks on websites and servers using the Shellshock bug have been spotted. Thousands of servers have already been compromised via Shellshock and some have been used to bombard web firms with data. Evidence of the scanning and attacks came from honeypots run by security companies.

One group used their Shellshock botnet to bombard machines run by Akamai with huge amounts of junk data to try to knock them offline. Another group used its botnet to scan for more machines that are vulnerable. It’s is believed these attacks will only increase once the code used to exploit the bug is shared.

If you are concerned about the escalating security challenges and risk management issues facing your business today and would like to take precautions, then why not speak to Krypsys? Krypsys’ services are focused on helping your business assess its security posture against current and evolving security threats and educating you on the risks to which you are exposed. We have a wealth of experience in security projects in both the public and private sectors and have worked with organisations to protect high value information assets such as trading platforms, e-commerce systems, data-centres and cloud services. We also work with leading IT security vendors and specialist consultancies to close the gaps in your own IT security strategy and to assist in streamlining and prioritising your risk management spending.

Whether you’re looking for help with penetration testing and security reviews, or are looking for advice on security compliance and web security solutions, Krypsys can help you. For more information on web security solutions, please contact Krypsys on 01273 044072 or [email protected].