Shellshock: What Cyber Security Experts Have to Say About Bash Bug
In the last 48 hours news about the latest serious security vulnerability known as Shellshock has spread quickly around the world.
The bug, which affects systems running Linux and Unix software, has been around for 25 years and is found in Bash, a command line shell that gives power users the ability to easily control how software operates.
Google and Amazon are said to be working to protect their servers, Apple has admitted that Mac OS X is vulnerable and there have already been reports of the vulnerability being exploited in the wild.
To get a sense of just how serious the Shellshock bug is, and what implications it has for system administrators, as well as ordinary internet users, we've canvassed seven top cyber-security experts about to get their views:
Jamie Blasco, labs director of AlienVault, reveals that his team has discovered attackers who are already actively exploiting Shellshock:
We have been running a Honeypot since yesterday that basically emulates a system that is vulnerable. We found several machines trying to exploit the vulnerability. The majority of them are only probing to check if systems are vulnerable.
On the other hand we found two attacks that are actively exploiting the vulnerability and installing a piece of malware on the system. These pieces of malware turn the systems into bots that connect to a C&C server where the attackers can send commands. We have seen the main purpose of the bots is performing distributed denial of service attacks.
Joe Siegrist, CEO and co-founder of LastPass, urges system administrators to be proactive rather than reactive, and take action now to protect their systems:
We are seeing Shellshock being actively exploited. Those companies that are not as proactive are at huge risk and may have already been exploited. The reason this could be potentially worse than Heartbleed is that with Shellshock you can make things run on a server, and get access to anything on that server, so in that way the exploits could be worse in terms of the actions that can be taken and the data at risk, and have worse consequences than Heartbleed.
Troy Gill, senior security analyst of AppRiver, believes one of the biggest issues with Shellshock is that the systems it affects are typically those that see themselves as less vulnerable:
One major element that I believe could cause some issues is the fact that a lot of these users are part of the community that likes to believe that their systems don't get malware because of the operating systems that they use. While it's true they are less targeted, they are in no way invulnerable to attack. This could be a case in point if cybercriminals decide to make a move to quickly begin exploiting this vulnerability.
Tim Erlin, director of security and risk at Tripwire, says that in conjunction with Heartbleed, Shellshock poses a double headache for system administrators:
This vulnerability in Bash delivers a kind of double-whammy to the IT security folks responsible for patching systems. The overlap of systems vulnerable to Heartbleed will be very high, and so the systems that are already difficult to patch for Heartbleed will also be difficult to patch for this new vulnerability. It won't be long before we have a call to action for addressing this because of an actively used exploit.
Tom Cross from Lancope warns that as well as computers and web servers being vulnerable, so will be critical industrial systems controlling everything from to the electricity grid to nuclear power plants:
Shellshock is particularly concerning in the context of Industrial Control Systems and SCADA, where there may be many vulnerable devices that are difficult to upgrade. Earlier this year, a sophisticated waterhole attack targeted users of a variety of industrial control systems and industrial cameras. Those attackers now have an entirely new attack sector to explore.
Richard Cassidy, senior solutions architect at Alert Logic, attempts to pour some cold water on some of the panic that is beginning to emerge, saying that it will require a sophisticated attack in order to exploit the Bash bug:
The specific vulnerability found does require a specific set of conditions to be met. We need to look at this in context; yes it's a vulnerability and organisations should absolutely take steps to apply those patches currently being released; but to be exploited with this vulnernability we'd be looking in most instances at a very targeted attack, as opposed to an opportunistic 'script-kiddie' one.
David Jacoby, senior security researcher at Kaspersky Lab, also reminds us that not everyone is at risk:
This bug is very dangerous indeed, but not EVERY system is vulnerable. Special conditions must be met, for example, for a web server to be exploited. One of the biggest problems now is that when patches are published, researchers look for other ways to exploit bash, explore different conditions that allow it to be exploited, etc. So a patch that helps to prevent remote code execution can't do anything against, for example, a file overwrite. So there will probably be a series of patches and in the meantime systems are still vulnerable.
© Copyright IBTimes 2024. All rights reserved.