Be Afraid of New Shellshock ExploitPosted by aonenetworks On September 29, 2014
We told you this day would come, and so it has. Remember all the warnings about how vulnerable the internet of objects was, because they lack even the most rudimentary of protections? Most people read those warnings and shrugged it off. Today, however, we’re waking up to a threat several times larger than Heartbleed. Most at risk? All of those poor, defenseless internet objects.
What Is Shellshock?
Shellshock is a command level bug in the Bash command line for Linux systems. It’s an unintended back door that allows hackers to take total control over un-patched devices. On the day the bug was found and announced, work began immediately patching the 51% of the world’s internet servers vulnerable to it, but of course, it wasn’t in time. A botnet attack managed to take control of a few servers using the exploit. That’s fairly minor, however. There’s a reliable infrastructure to patch servers quickly, so the damage there, while bad, will be limiting. There’s a great amount of urgency to close the door on this exploit at least where servers are concerned.
Even so, as of now, Google estimates that as many as two billion web pages could be at risk. That’s a significant chunk of the web. Yes, the door will get closed, but until it does, that’s an enormous risk, and because the hack is wormable, that means it can self-replicate, so it can spread very quickly. If it gets behind the firewall of any large network anywhere, it’s pretty much game over for that system.
We Have The Technology – Or Do We?
We are fortunate then, that there’s good infrastructure in place to handle server patching. That at least will mitigate the damage. However, there is one vast thing that has no infrastructure in place on which to put a patch. You guessed it. All those hundreds of millions of internet objects, and nearly all of them are vulnerable to this hack. Almost any of them can be taken over at will, at any time, by even a moderately skilled hacker, and once taken over, it can be nigh on impossible to get control back. Why? Because the overwhelming majority of those internet objects lack even the most basic network protections. Not only do we not have the means of patching them, but we can’t easily get control back if they get taken over by someone who doesn’t have your best interest at heart.
At least with Heartbleed, all the hackers exploiting the bug could do was steal data. In this case, they can outright commandeer hardware, and of course, in the process of doing so, make off with not just some, but literally all of your data too.
Attacks began in earnest just four and a half hours after the bug was announced. They are increasing in momentum. Right now, it’s a race against time, with server owners patching as fast as they can, trying to mitigate the damage. Even if they succeed in limiting the damage on the server side, all that’s going to do is cause the hackers to descend like wolves on the much more numerous collection of internet objects, for which there is little or no protection.
We told you this day was coming, and now, it’s here. This is the first, but you can bet it won’t be the last. Are you prepared for it? How safe are your objects on the internet?
If you are interested in more technical details of the exploit you can read about it here – http://lcamtuf.blogspot.co.nz/2014/09/quick-notes-about-bash-bug-its-impact.html