ShellShock: Linux and Apple systems major security issue

A computer bug which could allow hackers to take control of hundreds of millions of devices all over the world has been discovered, forcing governments to take immediate steps to protect their critical infrastructure.

The security flaw, dubbed “Shellshock”, was found inside a piece of software called Bash, which is used by Apple’s Mac operating system as well as Linux systems and internet servers relied upon by governments, banks and the military.

Last night, cyber-security experts suggested that people should stop using their credit cards for online purchases until a solution to the bug, which has existed for more than 20 years, is found and distributed.

The UK’s national cyber-security response team, Cert-UK, has issued an alert to all government departments stating that the Shellshock flaw carried the “highest possible threat ratings… for both impact and exploitability”. The US National Cyber Security Division gave it a score of 10 out of 10 for severity and a complexity rating of low – meaning it is easy for hackers to exploit. Cert-UK added that it should be “assumed” that many government computers and other devices would be vulnerable to the bug, adding: “This will inevitably include organisations that are part of the critical national infrastructure.” Many industrial control systems, from power plants to traffic light systems, rely on Bash software to function. Cyber analysts said last night that authorities must act immediately to close the loophole, pointing out that within hours of it being discovered, hackers had started exploiting the flaw, posting videos of their exploits online. Although software “patches” have already been distributed to deal with the problem, they are not thought to be fully effective.

Professor Alan Woodward, a security researcher from the University of Surrey, said more than 500 million websites and hundreds of millions of devices all over the world, including wi-fi routers, may be vulnerable to the Shellshock bug. “The thing that’s concerning me most is that we don’t yet really understand how it can be exploited,” he said.

“What we’re going to see over the next few days is people working out how to exploit this, and you’ll start to see different types of attack. Is it that they can syphon off all sorts of sensitive data? Can they steal people’s passwords? We don’t know yet – the attacks are being developed as we speak.”

David Jacoby, senior security researcher at internet security firm Kaspersky Lab, said: “The vulnerability is not targeting individuals, but servers hosted on the internet. This means that if, for example, your favourite e-commerce or banking website were vulnerable, the attackers could, in theory, compromise that server and gain access to your personal information, including maybe banking information.

“It’s very difficult to say exactly what platforms might be vulnerable and might have been targeted, but I would recommend that you do not actively use your credit card or share a lot of sensitive information for the next couple of days, until security researchers have been able to find out more information about this situation.”

Shellshock was initially compared to the “Heartbleed” bug reported in April, a web encryption flaw which went unnoticed for more than two years and could have given hackers access to an unlimited array of customers’ secure data.

But Kasper Lindegaard, director of research at computer security firm Secunia, said the bug inside Bash was far more dangerous. “Heartbleed only enabled hackers to extract information. Bash enables hackers to execute commands to take over your servers and systems. We have only seen the tip of the iceberg so far,” he said.

A spokesperson for the Cabinet Office said the Government’s computer security advisers were attempting to tackle the problem.

“Cert-UK is working with partners and industry to ensure that organisations are able to patch their systems as soon as possible. Government is also working to ensure that its own systems are secure,” they said.

Source (The Independant)

Comments are closed.