Shellshock: Shock & Awe

Shellshock virus

Shellshock: Shock & Awe
| published Sept. 28, 2014 |

By Thursday Review staff


In a year marked by data breaches and computer vulnerabilities, each new arrival seems worse than the last. Last December, weeks after the peak of holiday shopping, we learned that Target’s credit card and payment system had been compromised. By some estimates, the personal data of as many as 70 million Target shoppers was hacked. Ten months later, Target is still suffering from the effects of the data breach. Then, only weeks later, we learned that Michael’s and Neiman Marcus had become the victims of a similar data violation.

Still, the dust was settling, and we thought the worst might be over. That’s when the floodgates opened again with the April arrival of Heartbleed—a vulnerability with wide-ranging consequences for millions of computer users worldwide. Heartbleed exploited a gap in a popular encryption tool called OpenSSL. That tiny gap had been largely undiscovered, though some white hat hackers in Scandinavia were aware of its existence in late 2013. Heartbleed sent shockwaves through the halls of Cisco, Google, and Microsoft, and it took weeks before the recommended fixes trickled down through the tech world (in fact, many small businesses have not employed a fix even now). Hackers in China, Russia and a dozen other countries went to work exploiting Heartbleed’s possibilities, and Heartbleed may have been the vulnerability used by thieves to steal the patient information cached by one of the largest hospital chains in North America.

Heartbleed was followed by something called Backoff in August. Backoff, which is very hard to detect, is a retail point-of-sale vulnerability that allows hackers to grab credit card and debit card data, in some cases rerouting even payments. Backoff was designed to exploit weaknesses in commonly-used remote-access software, and it can affect popular remote-access tools used by Google, Microsoft, Apple, Google Chrome, LogMEin, and a dozen other services. Then, earlier in September, we learned that Home Depot—the nation’s largest seller of home improvement materials projects and tools for construction—had been hacked, its customer data compromised on a massive scale.

Our newest enemy—and cause for this month’s heartburn—is “Shellshock,” which, like Heartbleed, requires complex explanations so circuitous and arcane that many security analysts fear the majority of those affected may not be able to implement a solution, and this may include thousands of business, large and small.

It breaks down into two categories: the good news and the bad news. First, the good news: according to Apple, its millions of users are at little—if any—risk from the effects of Shellshock. At least that’s the most recent talking point from the folks at Apple (yes, the same ones that rolled out the new iPhone 6 recently, and were immediately beset by glitches and talk of the phone easily bending if placed in pants pockets, front or back).

The bad news: almost everyone else is at risk. The vulnerability exploits a weakness in something called BASH, a default shell for Linux, OS X and other operating systems, and a system software which dates back to earliest days of the personal computer (and by that we mean the mid-1980s) commonly used worldwide. Although not typically used as default software on new computers running Windows, BASH is nevertheless packed in with literally thousands of products routinely added to computers which run Windows. For lack of a better explanation (and trust us when we tell you your eyes will glaze over if you actually bother to read how it works), BASH serves as a kind of translator tool—a convenient and proven mechanism for getting certain scripts and codes to work and play well together on your PC. It can be found in about half of the world’s personal computers, and that turns out to be the bad part.

Shellshock exploits a weakness in BASH, in essence allowing it to accept tacked-on code, injected from an outside party. The hacker can then have access to the command line, which means not only is it possible for cyber-prowlers to run activities and actions on your computer you would not normally run, it also allows intruders to insert malicious code into your computer, and even rummage around for more important things. Shellshock, in that sense, is very dangerous for the havoc it can unleash in stages.

There is a glimmer of hope for individual PC owners and users who are working in small business environments: Shellshock’s quarry may be limited for now to organizations and businesses which use web servers. But that’s still a lot of computers in a lot of places, and businesses have been warned (through emails and alerts from the Department of Homeland Security and from the U.S. Computer Emergency Readiness Team) to take necessary precautions by finding appropriate fixes and patches—as soon as possible. Like Heartbleed, Shellshock may have after-effects which could pop up months, even years from now, especially if the necessary repairs have not been made.

“Patches have been released to fix this vulnerability,” said an email from US-CERT, “by major Linux vendors for affected versions….It is advised to install existing patches and pay attention for updated patches to address [this problem].” Translation: if you use Linux, get the fix, now.

But as of Friday, patches and fixes were still not available for every computer, though the other major makers of operating systems were working overtime to find a solution. That same email strongly suggested that those using computers which operate with UNIX, OS X, and other operating systems contact the appropriate vendor. US-CERT offered a link with a list of those vendors and contact numbers. Here’s the link:

Related Thursday Review articles:

New Retail Cyber Threat: Back-Off; Thursday Review staff; Thursday Review; August 2, 2014.

Home Depot’s Data Breach: Worse Than We Thought; Thursday Review; Sept. 23, 2014.