We're constantly hearing about security compromises on the news. Home Depot and Target are the most notable in recent history. Someone somewhere figured out a security flaw in their systems, exploited it, and obtained MILLIONS of credit card numbers. Target's CEO Greg Steinhafel even resigned because of the hack.
October National Cyber Security Awareness month, a program sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center. We here in the IT department at Bit-Wizards are putting together some in-depth articles to raise awareness and draw attention to cyber-security and cyber-hygiene. Our IT Wizard, Jeff, kicked off the series with some very practical steps
to make sure your IT department is actively helping the nation have a stronger cyber infrastructure, and not adding to the open attack vulnerabilities.
In the past few weeks a new security exploit has surfaced, and you may have heard of it because it's a pretty big one with some scary implications. It's called commonly called Shell Shock and it's scary because of how many computers it affects. Pretty much any non-windows computer contains this vulnerability. This means all forms of Unix (FreeBSD, NetBSD, etc.), Linux (Redhat, Ubuntu, OpenSuse, Debian, etc.) and Mac OS X, which has been running on all Apple computers in the last decade. Even Linux servers running on Microsoft’s Azure cloud service are vulnerable!
A Little History
In computer years, Unix is ancient. It originated in the mid-1960's on big main-frame computers, and it's held up remarkably well over the decades, adapting to the times while remaining true to itself. It's generally very stable and secure. Due to some legal issues in its early days, there are many variations of Unix, but all have the same foundation. In the 90's Linux was born, built on the same base as Unix but by definition free for all, and much of the World Wide Web is run on Linux servers. Google took Linux and made their own version of it on smartphones and call it Android. In 2001 Apple rebuilt their operating system from the ground up, based on BSD Unix and called it Mac OS X. They later created custom versions of this operating system for iPhone and iPad. On top of this, many modems, network switches and wireless routers all operate on an embedded custom version of Linux. All of these have a "shell" where individual commands are executed, and as you can guess there are A LOT of these devices in the world. This shell is where the name comes from and where the problem lies.
The shell (specifically BASH) is where all the behind the scenes stuff of the operating system happens. It's a very powerful environment; if you have the right permissions you can erase the entire computer with just a few commands. A key component of the shell environment is the concept of variables. Just like the letters representing numbers in the algebra you were so happy to leave behind after school, variables let you create complex programs by adding a dynamic element to shell scripts. There is a safety measure built in, though. Environment variables cannot
be executable. That way nobody can maliciously tell your OS that "My Documents" = "delete everything", so that when you even look at My Documents it formats your hard drive. As you might imagine, that's quite important.
So environment variables are irrefutably safe... Until they're not. Recently it was discovered that with just a few special characters it's possible to inject executable code into "harmless" variables. That's very bad. Amazingly, this vulnerability has been sitting there in BASH for over 25 years but wasn't discovered until the past few weeks. There's bad news and good news:
If someone can gain access to a system they can use this vulnerability to make the computer do things you don't want it to do. Worse, if a web server is allowed to execute code on the computer it sits on, this can be really bad, as it could potentially give access to all the databases stored on the same machine. Also, there are a LOT of computers and devices out there running BASH, so there is great potential for damage.
This shouldn't be an issue for everyday people like you and me. Unless someone has access to remotely log into your computer, or unless you're running a web server (you should know if you are) it won't be an issue. It would be incredibly hard to hack into your Mac or Android phone and then execute code. And in all likeliness, updates for all vulnerable devices will be released soon.
Update: Apple has released security patches:
This is a great example of why it's important to keep your computer updated. Sometimes these things can lie dormant for decades, but once it's public knowledge you need to install any patches that are available. It's very tempting to press the "Remind me later" button when your computer tells you an update is available, especially if it will require rebooting your computer. However an ounce of prevention is worth a pound of cure, and taking care of it now will be much simpler and cheaper than the alternative.