Shellshock bug could be ‘Worse than Heartbleed’
29 · SEP ·2014
Shockwaves were sent through the online world last week as a new bug was uncovered, aptly named ‘Shellshock’. According to reports, nearly five hundred million computers have already been affected, which is why some are claiming that this new form of malware is worse than the Heartbleed bug discovered back in April which enabled hackers to gain access to millions of users’ passwords across the world.
The new bug targets the Bourne-Again SHell (BASH) command prompt in Unix based software which is used in Apple Mac computers and web servers to name a few. Those that use software such as OS X, Linux or Apache are vulnerable to attacks, and unlike the Heartbleed bug hackers are not just able to bypass security to view certain information, they are able to access entire systems. Discussing the issue, Professor Alan Woodward, a security researcher from the University of Surrey, said: "Whereas something like Heartbleed was all about sniffing what was going on, this was about giving you direct access to the system. The door's wide open.”
Just hours after the discovery of Shellshock, leading cybersecurity firms announced that hackers were already trying to use the malware as a ‘worm’ in order to attack both computers and websites. Jason Steer, director of technology strategy at the online security specialist FireEye, said: “The most sophisticated cyber attacks today are designed to ensure long-term connectivity into systems. It’s about covert, long-term cyber squatting.”
At the same time as hackers started utilising the Shellshock malware, security companies across the world issued advice to users in order to protect their systems. Steer said: “It’s a big problem because of the number of systems that need to be identified and patched quickly. It’s by no means a minor piece of work. There are always going to be systems that get missed. And they will be vulnerable. You also have to assume that systems are already being compromised.”
The issue is currently so severe that the Information Commissioner’s Office (ICO) – backed by the UK government – has issued a statement claiming that users need to act fast in order to stop the bug spreading. The statement said: "This flaw could be allowing criminals to access personal data held on computers or other devices. For businesses, that should be ringing real alarm bells, because they have legal obligations to keep personal information secure.
"The worst thing would be to think this issue sounds too complicated - businesses need to be aware of this flaw and need to be monitoring what they can do to address it. Ignoring the problem could leave them open to a serious data breach and ultimately, enforcement action. And for people who are concerned their personal information could be at risk on their own devices, the message is clear. Don't think this all sounds too complicated. Security updates are currently being rolled out - don't ignore them, but make sure you apply them as soon as practically possible."
Unfortunately, even with advanced firewalls and anti-virus software users are still vulnerable to the Shellshock bug unless they patch their systems as quickly as possible. This fact, along with the effects of the Heartbleed bug in April, has led to those in the technology industry questioning why such software is being implemented in the first place. BASH itself was only developed by one man - Chet Ramey from Case Western Reserve University in Ohio – which means that it is not regularly updated.
Tony Dyhouse from the UK's Trustworthy Software Initiative has previously spoken out about this issue, and in the wake of the Shellshock bug added: "To achieve a more stable and secure technology environment in which businesses and individuals can feel truly safe, we have to peel back the layers, start at the bottom and work up.
“This is utterly symptomatic of the historic neglect we have seen for the development of a dependable and trustworthy baseline upon which to develop a software infrastructure for the UK. Ultimately, this is a lifecycle problem. It's here because people are making mistakes whilst writing code and making further mistakes when patching the original problems."
Strategic Accounts Manager at Fluidata, Sam Coleman, said: “The Shellshock attack that has hit millions of devices already may be a business case for the comeback of the software based firewalls and anti-malware software that the bigger companies have shown signs of edging away from. As a whole the world has become more and more Internet reliant, day to day business and long term business strategies are now heavily involved with online data and the Internet.
“This inevitably leads to more secure development requirements and increased risks for the IT strategy. Fluidata will continue to be at the forefront and will carry on to support our end users as well as partners on fighting bugs by creating a quality, secure and efficient network that operates proactively to combat attacks such as this.”