News is breaking today about a wide-reaching and extremely serious vulnerability, which the security community has nicknamed Shellshock. Although the security and developer communities are still pulling all-nighters to come to grips with the seriousness of the issue, we at BreachAlarm wanted to fill you in on everything we know, and how it affects you as a casual technology user.
First, the bad news: the Bash software in which the Shellshock bug has been discovered is present in all sorts of computer systems, and we mean all sorts. The web services you use, your work’s network services and infrastructure, your personal computer (especially if you own a Mac), your smartphone (iPhone or Android), the Wi-Fi routers in your home and business, your bank’s ATMs, the cash registers at the stores where you shop, even many of the boxes you plug into your TV, all of these are likely to contain the Bash software. Basically, anything running open source software (and a vast array of commercial products do) is likely to include a copy of Bash. As for what versions of Bash have the bug, how does every version released in the past 20 years sound? Yes, the news is that bad.
At this point, you might be wondering just what this Bash software is, and if it’s so buggy, why it seems to be in every digital device in your life. And what can you even do about it? Allow us to explain.
The Program that Runs Programs
You know in the movies when a hacker sits down at a computer and starts typing commands? The computer will display a prompt, such as ‘$’ or ‘>’, and the hacker will type something dastardly next to it, like transfer all funds to my bank account. When he hits Enter, the computer does what he says. The program that displayed that prompt, that asked the hacker what he wanted done and made it happen? That’s Bash.
Bash is what computer professionals call a shell. It’s the program that automatically runs when you log into a computer. It asks you what program(s) you want to run, and it runs them for you. If you think of it as a 20-year-old version of the Windows Start Menu, or the Dock in OS X, you aren’t far off the mark, except that Bash mostly operates behind-the-scenes, automatically running the programs that make even very simple computer systems do useful things. That’s why Bash is everywhere.
Of course, if you have a Windows computer, you don’t want anyone clicking around your Start Menu and launching programs but you. Likewise, shells like Bash are designed so that not just anyone can tell them what to do. Gaining access to Bash so that you can make it do things usually requires you to have a valid account on the computer system in question, one with sufficient privileges to access Bash. On consumer devices like smartphones and TV set-top boxes, normally it’s only the manufacturer that has the necessary credentials to access Bash. That’s where the Shellshock bug comes in.
What Shellshock Does, Exactly
The Shellshock bug enables hackers to fool Bash into running commands that the manufacturers of a device, or the programmers of a web service, did not intend. Say you log into your online banking website. The software that runs the website might, say, use Bash to run a program that retrieves a list of your transactions for you. But if you’re a hacker who understands the Shellshock bug, you could send that website a malicious request instead. You could ask for your transaction list in a way that fooled Bash into doing something else, something you’re not supposed to be able to do, like sending you someone else’s transaction list!
In short, Shellshock lets hackers reach out over the Internet to hundreds of millions (if not billions) of services and connected devices, and start typing commands, and those systems will execute those commands without question.
If you’re technically minded, there’s plenty of coverage of the nitty gritty details out there. Security researcher Troy Hunt has a nice roundup.
What Makes Shellshock Especially Bad
In most cases such as these, when everyone and everything is vulnerable, you can take some comfort in the fact that there are probably juicier targets out there than you. Unless you’re a celebrity, or a very rich company, you probably aren’t going to rank among hackers’ first targets. Unfortunately, with Shellshock, there are two factors that make it bad news even for average users.
First, Shellshock is such a simple bug (in terms of how easy it is to exploit) that you don’t even need to be very tech-savvy to use it to do some fairly nasty things. Given an hour or two, a twelve-year-old who enjoys tinkering with computers could probably figure out how to use Shellshock to issue some basic commands on the servers of a vulnerable website. Keep in mind, news of this thing is less than a day old; given a week or two, more capable hackers will devise and distribute easy-to-use hacking kits based on Shellshock that anyone with a little computer knowledge can download and use.
Second, because Shellshock gives hackers access to Bash—a program that runs programs—hackers will be able to use Shellshock to infect vulnerable systems with programs that in turn find and infect other vulnerable systems. Commonly called a worm, such self-replicating malicious software can rapidly spread between vulnerable systems. And remember, with Shellshock, vulnerable systems are everywhere. Effectively, Shellshock makes self-spreading computer viruses very easy to write.
The Good News
There isn’t much, but there’s this: As far as anyone knows, hackers found out about this bug along with everyone else today. That means actively-maintained websites, services, and devices stand a good chance of being updated to correct the bug before hackers are able to target those systems (either specifically, or with randomised or self-replicating attacks).
Yes, this bug has existed for 20 years, but all indications are that no one knew about it until it was first discovered last week, and then began making headlines in the security community today.
At this point, hackers’ efforts to explot the Shellshock bug are likely to be focused on publicly-accessible web servers. Finding a way to poke privately owned devices such as smartphones and Wi-Fi routers in such a way that Bash will respond is going to be significantly harder, so hackers will by and large stick to the low-hanging fruit. By the time your smartphone is targeted by an attack that might put it at risk, you’ll almost certainly have received a software update to protect it.
Many bright minds in the security community (your humble author included) will be pulling some late nights in the coming weeks, but hopefully in doing so they will help the rest of the world stay ahead of the wave of attacks based on Shellshock.
OK, What Do I Do?
Two things: update what you can, and expect updates from others.
Be especially watchful for software updates to your computer and your smartphone over the next week or so. If you’ve been dragging your heels on updates to either of these, get up to date immediately so that when the Shellshock update comes along you can jump on it instantly. As of now, it appears most Windows PCs are not vulnerable (since Bash is not included on Windows systems by default), but many Windows systems are running software that uses Bash internally, so updates to Windows applications (as opposed to Windows itselF) are important too. Macs, as of this writing, are definitely vulnerable, as Bash is a core component of the OS X operating system.
You should also explore updates to some of the devices you might not usually update on a regular basis. Your Wi-Fi router, your Cable or ADSL modem, your printer, your set-top box … even your television! Most of these devices have software updates available from their manufacturers, and most users ignore them. Visit their websites and see what’s available now, then visit them again in a week or two to see if there’s a new update for Shellshock. Install what you can.
Next, keep an eye on the major web services that you use. As happened with the Heartbleed bug in April, you can expect to receive emails from many of your favourite websites letting you know they were vulnerable to Shellshock, but have since been updated to protect you. Look kindly on sites that are upfront and honest about—and responsive to—security issues that impact you. Treat sites that are tight-lipped about such things with a healthy dash of suspicion.
Shellshock and BreachAlarm
Here at BreachAlarm, the first we heard of Shellshock was when a malicious request (intended to check our servers for vulnerability to a trivial Shellshock-based attack) triggered an alarm alerting our development team to unusual activity. That in itself is unusual; we usually learn of new vulnerabilities long before we see attempts to exploit them hit our servers. As it turned out, the request was part of an automated scan for vulnerable websites on the Internet by sercurity researcher Robert Graham.
As soon as our work to explain the unusual activity led us to learn about Shellshock, we applied the initial security fixes available to the Bash program on all of our servers. This process continues even now. As researchers discover new ways to exploit the bug at the heart of Shellshock, and update Bash to prevent those attack vectors, we continue to apply those fixes as soon as they become available. The same thing is happening behind the scenes at many—if not most—of the websites you visit every day.
It’s too early to say we are immune to Shellshock-based attacks, because new kinds of attack based on Shellshock are being discovered hour by hour. The best we can do is respond to new developments as they come to light, and we promise we are doing so in order to preserve the privacy and integrity of whatever data you have shared with BreachAlarm.
As usual, BreachAlarm is keeping watch for data released by hackers as a result of any Shellshock-based hacks. If you haven’t already, subscribe to Email Watchdog (it’s free for individuals!), so we can notify you immediately if you’re affected.
We will continue to update this post as additional news about Shellshock comes to light.