Skip to comments.
The Bash Bug Could be a “Joe Biden-sized” Problem – Part 1
Charting Course ^
| 8/26/14
| Steve Berman
Posted on 09/26/2014 12:01:55 PM PDT by lifeofgrace
Unless youre a real-life version of Sheldon Cooper, a computer security professional, or, like me, work in the online payment industry, you probably dont keep up with the latest computer vulnerabilities. A new one thats hit the web news like a tsunami in the last 72 hours is simply called the bash bug (sometimes called shellshock). Everyone from Time, to Vox*, to tech site C|Net has covered this story.
I am not going to get technical here. You can read any of the above-mentioned articles which provide plenty of detail on that. To summarize the problem: a 25-year-old program thats in an enormous number of systems that power websites, personal laptops, industrial computers, and stuff, can potentially be exploited to doessentially whatever the exploiter commands it to do. The program runs at a very bare-metal level of the computers operating system, and is used by system administrators to perform all kinds of menial, and some not so-menial, tasks.
According to security researcher Bruce Schneier (quoted in the C|Net article):
"On the scale of 1 to 10, this is an 11," he said, estimating that half a million websites were vulnerable.
If you were to picture your companys web server like a Borg cube from Star Trek (forgive me for the Trekker reference, I cant help it): when Captain Picard aka Locutus knew exactly where the Federation ships should fire to destroy the Borg, Data told him that appeared to be a low priority systemsomething unlikely to do damage. Thats the bash bug. There are two scary things about it:
- In the world of security exploits, its ridiculously easy for novice hackers to take advantage of this one. Many vulnerabilities require extensive programming knowledge, and specifically crafted computer programs to attack target computers. The bash bug can be exploited by a precocious nine-year-old with very little special training.
- The operating system affected by the bash bug is almost ubiquitous, in systems that actually matter. Its probably not going to penetrate your Windows computer, but it may penetrate your WiFi router, your cable modem, your satellite receiver, or your thermostat.
Ill get into the thermostat and other connected Things you may have in your home in my next post. Here, I will stick to devices that are made specifically to be connected to the Internet. What should you do? Thats really the question. First things first: dont panic. This threat is serious, but its not really targeted at your computer. If you dont run a homegrown Linux computer serving web pages, you are likely not a target. That being said, Id start with a few simple steps.
- Look around your house for devices that connect you to the Internet: your cable box, WiFi access point, DSL modem, any network device you have. Write down the model numbers and manufacturers.
- Go to each vendors website and see if theyve made a statement about bash bug or shellshock. They may say theyre not vulnerable, which is greatcross those off the list. They may have instructions or software updates. Do what they recommend.
- If your router or WiFi access point is vulnerable, follow step 2, and then change your wireless network name (called the SSID), and change the passwords. This is simply for safetys sake. If somethings been compromised, you wont know it. Dont make the change until youre sure the device is no longer vulnerable. Id do it anyway, even if the manufacturer says theres no vulnerability. You cant be too careful.
Thats it. If youve got home network devices connected to the Internet that you dont use/need, consider taking them offline. Do you really need five different ways to serve up NetFlix? If you dont use it online, then take it offline, except to check for updates, then take it offline again. In computer security, when dealing with classified information, the saying goes that the safest computer is the one thats unplugged (from the network, and from the wall outlet if you can manage it). No need to get paranoid here, but the bash bug has the potential to be a Vice-Presidential-level problem: it affects the whole AlGore-invented Internet, and its a Joe Biden-sized big f****ng deal. We should treat it accordingly.
*Interestingly, Voxs story on this might actually be the best one, balanced and technically correct. Thats likely because neither Zack Beauchamp, Max Fisher, or Matthew Yglesias wrote the piece.
TOPICS: Computers/Internet
KEYWORDS: bashbug; computers; computing; hackers; shellshock
To: lifeofgrace
2
posted on
09/26/2014 12:10:39 PM PDT
by
E. Pluribus Unum
("The man who damns money obtained it dishonorably; the man who respects it earned it." --Ayn Rand)
To: lifeofgrace
3
posted on
09/26/2014 12:27:43 PM PDT
by
RightGeek
(FUBO and the donkey you rode in on)
To: E. Pluribus Unum
Got rid of my Cisco running dd-wrt, and now using Apple Time Capsule 802.11ac. Hopefully not a problem.
4
posted on
09/26/2014 12:29:32 PM PDT
by
lifeofgrace
(Follow me on Twitter @lifeofgrace224)
To: lifeofgrace
5
posted on
09/26/2014 12:30:16 PM PDT
by
Maceman
To: lifeofgrace
To: lifeofgrace
7
posted on
09/26/2014 12:47:11 PM PDT
by
redgolum
("God is dead" -- Nietzsche. "Nietzsche is dead" -- God.)
To: E. Pluribus Unum
Whew, thanks!
So glad I upgraded my router firmware
8
posted on
09/26/2014 12:48:59 PM PDT
by
GraceG
(No, My Initials are not A.B.)
To: lifeofgrace
What I don’t understand is how they are just discovering this NOW.
9
posted on
09/26/2014 1:43:36 PM PDT
by
E. Pluribus Unum
("The man who damns money obtained it dishonorably; the man who respects it earned it." --Ayn Rand)
To: E. Pluribus Unum
If you are running dd-wrt on your router, your router is OK because it does not use the Bourne shell. It uses BusyBox.
I thought this bug affected bash, not sh? Or is this a bug that's made it's way into several shells, being misreported by the press?
To: AnotherUnixGeek
I was just parroting that article I linked to.
11
posted on
09/26/2014 2:05:23 PM PDT
by
E. Pluribus Unum
("The man who damns money obtained it dishonorably; the man who respects it earned it." --Ayn Rand)
To: AnotherUnixGeek
I misquoted the article, but the fact remains that dd-wrt uses BusyBox, not bash.
12
posted on
09/26/2014 2:06:27 PM PDT
by
E. Pluribus Unum
("The man who damns money obtained it dishonorably; the man who respects it earned it." --Ayn Rand)
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson