The ‘Shellshock’ IT exploit: what you should do to protect your home and office systems

James HarrisIn April I provided advice to STEP members on how to handle the protection of their online accounts following the revelation of the ‘Heartbleed’ exploit. A new exploit dubbed ‘Shellshock’ was discovered last week and it is widely recognised as being more serious and far reaching than Heartbleed. With the potential to affect everything from web hosting servers to Apple’s OSX operating system and a large number of home user items such as routers and home automation systems, Shellshock could have very far reaching implications. Particularly worrying is that the vulnerabilities of Shellshock have been in existence in home and office software for over 20 years. Given so many of our members manage firms with extensive IT set-ups, and most would work from home or in transit using Wi-Fi networks each week, I strongly encourage you to review your online security against Shellshock. If your firm has an IT department or IT support provider, I urge you to contact them to ensure your system is secure.

What is Shellshock?

The exploit centres on BASH (Bourne Again SHell), which has a very similar role to the Windows command prompt and allows you to run commands on Unix and Linux systems (popular alternatives to Windows). The problem lies in the fact that you are able to define variables in BASH which specify a function — for example, you could define a variable called Hello_World, the function of which would be to make the message ‘Hello World’ appear on the screen when executed. The code for this would look something like: HELLO_WORLD_VAR='() {echo “Hello World”;};’

The problem with Shellshock is that you can put any command at the end of a normal function and BASH will process whatever you add. You could add a function at the end of the code like this: HELLO_WORLD_VAR='() {echo “Hello World”;}; DELETE ALL FILES. BASH would define the HELLO_WORLD function and then carry out the ‘DELETE ALL FILES’ function. Obviously, ‘DELETE ALL FILES’ is a simplified example, but there is the potential for a hacker with knowledge of BASH to run any command they wish from here.

The good news for users is that this exploit is very different from Heartbleed and you don’t need to change all of your passwords, however the bad news is that it has the potential to impact items that the average users would never think of updating, such as routers and modems. When you also consider Shellshock is likely to affect some very old products still in use that manufacturers are unlikely bother updating, you begin to understand just how much of an impact this could have if you’re unlucky enough to get targeted by a hacker.

Anyone that’s read news articles already will likely have seen mention that Apple users are at risk, which is likely to be the main concern in the minds of home users, however Apple has released the following statement in order to reassure customers:

The vast majority of OS X users are not at risk to recently reported BASH vulnerabilities. Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to re
motely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users

That statement implies that the average mac user is not affected; I would certainly recommend paying extra attention to keeping your mac up to date with the latest patches. For anyone else, my opinion is that you should keep up to speed and check for updates where possible. The list of potentially affected products is so large at this point that it wouldn’t be possible for me to give more detailed advice than that.

What does this mean for STEP?

  • STEP’s website host provider was vulnerable to this exploit however we have already taken action to ensure patches are applied
  • Whilst the STEP site was vulnerable, we have no reason to believe we have suffered a breach of security
  • We have also reached out to all our service providers to confirm that no breach was incurred on any of the sites they host

What does this mean for members?

  • Due to the nature of the exploit, members do not need to take any action with regards to their STEP accounts, however everyone should be vigilant to developments over the coming weeks and apply patches where manufacturers provide them

Again, if your firm has IT support I encourage you to contact them to ensure that your systems are secure. If you have any queries about Shellshock and what you need to do please feel free to contact me.

James Harris is STEP’s Information Technology Manager. For more information on cyber security, check out this article from the STEP Journal

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s