The ‘Shellshock’ IT exploit: what you should do to protect your home and office systems

James HarrisIn April I provided advice to STEP members on how to handle the protection of their online accounts following the revelation of the ‘Heartbleed’ exploit. A new exploit dubbed ‘Shellshock’ was discovered last week and it is widely recognised as being more serious and far reaching than Heartbleed. With the potential to affect everything from web hosting servers to Apple’s OSX operating system and a large number of home user items such as routers and home automation systems, Shellshock could have very far reaching implications. Particularly worrying is that the vulnerabilities of Shellshock have been in existence in home and office software for over 20 years. Given so many of our members manage firms with extensive IT set-ups, and most would work from home or in transit using Wi-Fi networks each week, I strongly encourage you to review your online security against Shellshock. If your firm has an IT department or IT support provider, I urge you to contact them to ensure your system is secure.

What is Shellshock?

The exploit centres on BASH (Bourne Again SHell), which has a very similar role to the Windows command prompt and allows you to run commands on Unix and Linux systems (popular alternatives to Windows). The problem lies in the fact that you are able to define variables in BASH which specify a function — for example, you could define a variable called Hello_World, the function of which would be to make the message ‘Hello World’ appear on the screen when executed. The code for this would look something like: HELLO_WORLD_VAR='() {echo “Hello World”;};’

The problem with Shellshock is that you can put any command at the end of a normal function and BASH will process whatever you add. You could add a function at the end of the code like this: HELLO_WORLD_VAR='() {echo “Hello World”;}; DELETE ALL FILES. BASH would define the HELLO_WORLD function and then carry out the ‘DELETE ALL FILES’ function. Obviously, ‘DELETE ALL FILES’ is a simplified example, but there is the potential for a hacker with knowledge of BASH to run any command they wish from here.

The good news for users is that this exploit is very different from Heartbleed and you don’t need to change all of your passwords, however the bad news is that it has the potential to impact items that the average users would never think of updating, such as routers and modems. When you also consider Shellshock is likely to affect some very old products still in use that manufacturers are unlikely bother updating, you begin to understand just how much of an impact this could have if you’re unlucky enough to get targeted by a hacker.

Anyone that’s read news articles already will likely have seen mention that Apple users are at risk, which is likely to be the main concern in the minds of home users, however Apple has released the following statement in order to reassure customers:

The vast majority of OS X users are not at risk to recently reported BASH vulnerabilities. Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to re
motely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users

That statement implies that the average mac user is not affected; I would certainly recommend paying extra attention to keeping your mac up to date with the latest patches. For anyone else, my opinion is that you should keep up to speed and check for updates where possible. The list of potentially affected products is so large at this point that it wouldn’t be possible for me to give more detailed advice than that.

What does this mean for STEP?

  • STEP’s website host provider was vulnerable to this exploit however we have already taken action to ensure patches are applied
  • Whilst the STEP site was vulnerable, we have no reason to believe we have suffered a breach of security
  • We have also reached out to all our service providers to confirm that no breach was incurred on any of the sites they host

What does this mean for members?

  • Due to the nature of the exploit, members do not need to take any action with regards to their STEP accounts, however everyone should be vigilant to developments over the coming weeks and apply patches where manufacturers provide them

Again, if your firm has IT support I encourage you to contact them to ensure that your systems are secure. If you have any queries about Shellshock and what you need to do please feel free to contact me.

James Harris is STEP’s Information Technology Manager. For more information on cyber security, check out this article from the STEP Journal

If it’s too good to be true, it’s probably just spam

James HarrisLast week several STEP members reported receiving suspicious and unsolicited emails from an individual purporting to work in international taxation. What made the spam email particularly unusual was the attention to detail the sender had paid to make it look like legitimate correspondence and the citation of STEP to add credibility to its content. It seems timely to look at junk and spam email and what you should when encountering emails that don’t feel above-board.

Dealing with spam and junk email

 We’ve all have to deal with unwanted emails, both at home and at work, but as hacking and malware approaches become increasingly sophisticated it’s more important than ever that we understand the risks. Most employers and big email providers (such as Google and Microsoft) are continuously striving to protect us from unsolicited emails, but there are — and always will be — some that slip through the net. So how should we be dealing with spam and junk email that does get through? Firstly, I would recommend that any computer connecting to the internet has antivirus and malware protection installed and, most importantly, it should be up to date. I regularly come across users who bought antivirus software several years ago and didn’t pay to renew it, meaning it’s ineffective as it’s not receiving the latest definitions of what to scan for.

Having ensured your antivirus and malware protection software is up to date, there is a general set of guidelines you can follow to stay safe when reviewing your email, which will vary depending on the type of email you are looking at:

Spam email:

 Spam is totally unsolicited mail and it can take various forms from a scam email trying to convince you to transfer money to a seemingly worthy cause, right through to a seemingly random image or string of nonsensical letters. The first, and most simple, step in approaching this type of email is, if you don’t recognise the sender of the email and it’s not something you’re expecting then delete it without opening it. If you are unsure as to whether the email is legitimate (the email received by STEP members last week is a good example of the lengths spammers go to look authentic) then you will need to open it in order to review it further. The second step to ensure you stay safe is not to click any links in the email unless you are confident that they are trustworthy. If the email in question is from a bank or anywhere that requires you to log in using sensitive information, don’t follow the link in the email; use a browser to go directly to the site to log in instead. This approach guarantees that you are on the site you expect to be on when you are submitting personal details.

There are always expectations to these rules and if you are ever in any doubt I would always recommend deleting the message. If it is important and someone is waiting for a response from you, you’re always better off proceeding with caution, protecting yourself and getting back to them later.stock-photo-computer-security-concept-present-by-magnifying-glass-focus-on-the-red-spam-text-in-binary-code-114574033

Junk email:

Junk will generally be email we receive from an opt-in service such as an online retailer’s marketing email. This kind of mail is annoying but is harmless and should be deleted, ignored or unsubscribed. If you plan to unsubscribe I recommend you don’t click the unsubscribe link in the email. Rather go to the site yourself in a browser and unsubscribe from there. If you do click on an unsubscribe link on spam email masquerading as junk, you may actually be redirected to a site designed to capture your details. If you receive an email that looks like junk but you have no recollection of subscribing for it then you should treat it as spam.

If you encounter any suspicious emails alleging links to STEP please let me know.

James Harris is STEP’s Information Technology Manager. He has previously written about the Heartbleed bug and measures STEP Members can take to protect themselves online.

Heartbleed Exploit: STEP’s response and cyber security measures you should take now


A critical new online security exploit dubbed ‘Heartbleed’ was announced on Monday night after being discovered by a member of the Google security team.  The vulnerability is widely considered to be one of the most serious security flaws in the history of the internet and has been potentially exploitable since December 2011. Heartbleed affects the coding used to secure websites (the https:// part of a secure web address), which is estimated to be used in more than 60% of all secure                                    websites around the world.

Heartbleed works by intercepting the ‘heartbeat’ component of the code that allows a server and client to maintain a connection, thus earning the exploit its name. The exploit allows an attacker to reveal the contents of a server’s memory, which can include private information like usernames, passwords, credit card numbers and contact details. It can also allow an attacker to impersonate the server they are compromising.

The good news is that there is already a fix available to resolve this issue and the majority of website hosts have already applied it, however it is also necessary for users to change their passwords before the security of their personal information can be assured.



What does this mean for STEP?

  • STEP’s website host provider was vulnerable to this flaw however we have already taken action to ensure that all services provided to both members and staff are now secure
  • Whilst the STEP site was vulnerable, we have no reason to believe we have suffered a breach of security
  • We have also reached out to all our service providers and have confirmation that no breach was incurred on any of the sites they host

What does this mean for members? 

  • As a precaution, STEP advises all members to change their password on our website
  • We do not store credit card or payment information on our site, however we would like to take every precaution to ensure your security, this is especially important as many people reuse the same passwords across multiple websites
  • Heartbleed has affected many websites; it is estimated that as many as 66% of all secure websites worldwide were affected
  • The exploit requires fixing at two levels: firstly the hosts of a website need to apply a patch to fix the issue, which the majority of hosts have now done. Once this patch is in place, you should then change your password
  • This applies to every website that you store sensitive information on (shopping sites, email and social media are the most common), not just the STEP site

Not all websites have made the necessary security changes. Until the host of a website resolves the issue, changing your password will not offer you any protection.  If you are unsure as to whether a site has applied the fix you can use this checker. You can also find a list of high profile UK websites and their statuses here and other popular websites here. If you use any of these websites you should change your password immediately.

Again, STEP has taken measures to protect the website and our members’ data from Heartbleed and there is no indication that it has been compromised. The most important thing to remember is to change your passwords on websites that have fixed the problem. If a website is yet to fix the problem, wait until it has done so before changing your passwords as they will still be vulnerable. If you have any queries about Heartbleed and what you need to do please feel free to contact me.

James Harris is STEP’s Information Technology Manager. For more information on cyber security, check out this article from the STEP Journal