Just because you have the right services in place with smart people watching over and securing your data, don’t ever think the job is done. A new threat has arrived, and it is much worse than Heartbleed.
Bash is a command processor software written in the late 1980s as a replacement for the Bourne shell. It is still used today on many Unix, Linux and Mac servers. The Bash bug vulnerability, also known as Shellshock, is the security hole that let’s hackers in and take over your machines. The bug dates from version 1.13 of Bash and was discovered just last month.
“Unlike the OpenSSL Heartbleed vulnerability which was limited to information leakage, this new Shellshock issue in Bash is vulnerable to a much broader set of exploits, including allowing hackers to take full control of the target system,” explains Mahshad Koohgoli, CEO of Protecode. “What is probably more damaging, however, is how broadly Bash is deployed in every day electronics and computer systems, and how some of these devices cannot be upgraded. Fortunately, exploiting Shellshock is harder to do than Heartbleed, and even if you have Bash installed on your system it does it does not mean that it is in use and exploitable. While only a small proportion of the embedded devices running Unix derivatives actively use Bash, it is still important to check and patch if necessary since the repercussions could be disastrous.”
According to a MIT Technology Review article this week:
Within a day of Shellshock being reported, there was evidence that it was being used to stage attacks “in the wild.” Information security departments at all companies and organizations should take preventive actions such as applying security fixes and close monitoring of internal networks. The United States Computer Emergency Readiness Team has issued an alert, and along with other security organizations worldwide is recommending users and system administrators apply security fixes as soon as possible.
In an Manufacturing Business Technology article we ran earlier this week, “3 Tips For Fortifying Your Network,” Dan McGrath talks about how many industrial operations struggle to find the right approach to protecting their assets. What’s alarming is that many companies opt for a “security through obscurity” technique where companies forgo protections and instead rely on the system’s complexity to keep assets hidden. In a world where hackers are searching for vulnerabilities and writing computer virus to exploit those issues, it’s absurd to think any company, big or small is approaching their security this way.
Just this week, the AP reported that members of an international hacking ring that gained access to a U.S. Army computer network while targeting computer giant Microsoft and several video game developers pleaded guilty to conspiracy charges. It just goes to show that no one is safe from these kinds of attacks.
“If your organization builds and delivers software, you should regularly check for vulnerabilities in the open software that is in use,” adds Koohgoli. “You can also leverage tools that alerts you of vulnerabilities as they are discovered.”
For example, open source scanning products, like those that Protecode offers, can detect, flag, and quickly respond to risks posed by security vulnerabilities like Shellshock, Heartbleed, and other security threats. These products can process the latest National Vulnerability Database information and publish it daily into a reference database, giving it the ability to warn customers of potential security threats as soon as possible.
What Do You Think?
Exploitations like Heartbleed and Shellshock can do considerable damage, not only to a company’s systems and information, but to its public image with customers. Is your company typically on the offense or defense when it comes to data security? Do you worry that viruses like Heartbleed and Shellshock hinder manufacturers from adopting more cloud-based services and IoT initiatives? Tell us what you think by leaving your comments below.