The Bash Bug Could be a “Joe Biden-sized” Problem – Part 1

Charting Course ^ | 8/26/14 | Steve Berman

[lifeofgrace]

Unless you’re a real-life version of Sheldon Cooper, a computer security professional, or, like me, work in the online payment industry, you probably don’t keep up with the latest computer vulnerabilities.  A new one that’s hit the web news like a tsunami in the last 72 hours is simply called “the bash bug” (sometimes called “shellshock”).  Everyone from Time, to Vox*, to tech site C|Net has covered this story.

I am not going to get technical here.  You can read any of the above-mentioned articles which provide plenty of detail on that.  To summarize the problem:  a 25-year-old program that’s in an enormous number of systems that power websites, personal laptops, industrial computers,  and “stuff”, can potentially be exploited to do—essentially whatever the exploiter commands it to do.  The program runs at a very bare-metal level of the computer’s operating system, and is used by system administrators to perform all kinds of menial, and some not so-menial, tasks.

According to security researcher Bruce Schneier (quoted in the C|Net article):

"On the scale of 1 to 10, this is an 11," he said, estimating that half a million websites were vulnerable.

If you were to picture your company’s web server like a Borg cube from Star Trek (forgive me for the Trekker reference, I can’t help it):  when Captain Picard aka Locutus knew exactly where the Federation ships should fire to destroy the Borg, Data told him that appeared to be a low priority system—something unlikely to do damage.  That’s the bash bug.  There are two scary things about it:

1. In the world of security exploits, it’s ridiculously easy for novice hackers to take advantage of this one.  Many vulnerabilities require extensive programming knowledge, and specifically crafted computer programs to attack target computers.  The bash bug can be exploited by a precocious nine-year-old with very little special training.
2. The operating system affected by the bash bug is almost ubiquitous, in systems that actually matter.  It’s probably not going to penetrate your Windows computer, but it may penetrate your WiFi router, your cable modem, your satellite receiver, or your thermostat.

I’ll get into the thermostat and other “connected Things” you may have in your home in my next post.  Here, I will stick to devices that are made specifically to be connected to the Internet.

What should you do?  That’s really the question.  First things first:  don’t panic.  This threat is serious, but it’s not really targeted at your computer.  If you don’t run a homegrown Linux computer serving web pages, you are likely not a target.  That being said, I’d start with a few simple steps.

1. Look around your house for devices that connect you to the Internet:  your cable box, WiFi access point, DSL modem, any network device you have.  Write down the model numbers and manufacturers.
2. Go to each vendor’s website and see if they’ve made a statement about bash bug or shellshock.  They may say they’re not vulnerable, which is great—cross those off the list.  They may have instructions or software updates.  Do what they recommend.
3. If your router or WiFi access point is vulnerable, follow step 2, and then change your wireless network name (called the SSID), and change the passwords.  This is simply for safety’s sake.  If something’s been compromised, you won’t know it.  Don’t make the change until you’re sure the device is no longer vulnerable.  I’d do it anyway, even if the manufacturer says there’s no vulnerability.  You can’t be too careful.

That’s it.  If you’ve got home network devices connected to the Internet that you don’t use/need, consider taking them offline.  Do you really need five different ways to serve up NetFlix?  If you don’t use it online, then take it offline, except to check for updates, then take it offline again.

In computer security, when dealing with classified information, the saying goes that the safest computer is the one that’s unplugged (from the network, and from the wall outlet if you can manage it).  No need to get paranoid here, but the bash bug has the potential to be a Vice-Presidential-level problem:  it affects the whole AlGore-invented Internet, and it’s a Joe Biden-sized big f****ng deal.  We should treat it accordingly.

*Interestingly, Vox’s story on this might actually be the best one, balanced and technically correct.  That’s likely because neither Zack Beauchamp, Max Fisher, or Matthew Yglesias wrote the piece.

[E. Pluribus Unum]

If you are running dd-wrt on your router, your router is OK because it does not use the Bourne shell. It uses BusyBox.

http://security.stackexchange.com/questions/68255/shellshock-exploit-on-linux-routers-modems

[RightGeek]

bookmark for later

[lifeofgrace]

Got rid of my Cisco running dd-wrt, and now using Apple Time Capsule 802.11ac. Hopefully not a problem.

[Maceman]

bookmark for later

[MikeinMotley]

bm

[redgolum]

For later

[GraceG]

Whew, thanks!

So glad I upgraded my router firmware

[E. Pluribus Unum]

What I don’t understand is how they are just discovering this NOW.

[AnotherUnixGeek]

If you are running dd-wrt on your router, your router is OK because it does not use the Bourne shell. It uses BusyBox.

I thought this bug affected bash, not sh? Or is this a bug that's made it's way into several shells, being misreported by the press?

[E. Pluribus Unum]

I was just parroting that article I linked to.

[E. Pluribus Unum]

I misquoted the article, but the fact remains that dd-wrt uses BusyBox, not bash.