The Bash Bug

You may have heard in the news about the latest apocalyptic technology threat, the Bash Bug also known as Shellshock. The media may have over hyped this one a little but the threat is certainly real. Most of the servers on the internet that provide access to the web pages you surf every day run Linux and are potentially vulnerable. The Bash Bug is also capable of getting into other equipment like routers and switches whose software is frequently based on Linux. Macs running OS X are also based on similar software at the core and are vulnerable to the Bash Bug but only if they have the advanced Unix services enabled. OS9 and earlier Macs are not affected according to Apple. The good news — for once, Windows devices are unaffected!

Linux is an operating system like Windows and provides the basic interface for people to interact with the device. Bash is part of that interface in Linux and it has a very old bug that hackers have discovered how to exploit. By sending a properly structured text command over a network to one of these machines a hacker can get the Linux computer to run programs and do things that would require authentication and security privileges normally. This is frightening because a hacker can essentially hijack one of these devices and use it for anything they want: sending spam, hosting viruses or illegal content, or attacking other systems.

Now for the part that really makes security pros nervous. In the past I have talked about The Internet of Things. The light bulbs, toasters, and ovens you can control from your phone over the internet are all examples of devices that are part of The Internet of Things. These devices in many cases run a tiny Linux operating system that uses in many cases the insecure version of Bash. Unlike the Servers, routers, and switches that run the internet and many internal networks, these devices don’t have good security and typically lack any way to patch them when security flaws are discovered. You might be thinking really who wants to hack my cool new remote controlled GE light bulb? How could it have the power to do anything? Have you ever seen a locust? They are small and easy to kill, but if you have a swarm of them like in one of those movies that shows the plague of locusts on Egypt you have a good reference point for thinking about what kind of power someone controlling hundreds of thousands of these devices might be able to wield.

If you are concerned about your web servers and network hardware most vendors have patches out already to secure the affected devices though your toasters are still vulnerable and there really isn’t anything to do to fix them at the moment. I recommend that if you are running a Linux server you contact your IT department and patch it. You should also have your IT provider check to see if any of your network devices like routers, switches, and wireless access points have been identified as vulnerable by the manufacturer and patch them immediately as well.

Leave a Reply