For those who have opened papers and turned on the news to descriptions of the latest bug ‘Shellshock’ or the ‘ Bash Bug’ that’s terrifying description has included words such as ‘deadly’ ‘severe’, ‘critical’ and ‘catastrophic’, I thought I would simplify what it’s all about and what you actually need to know. First thing to mention is that our clients can rest assured that they are in safe hands. Our patch schedule has meant that all of our customer servers were patched even before knowledge of the exploit was widespread. We also don’t routinely install the additional software that would give a hacker a 'way in' to the system – so we’re good on two levels. Now you know not to panic - it's good to see what we're dealing with here...
What does Bash stand for?
Modern operating system are designed like a nut - they have a "kernel" (that does most of the actual work) in the middle and a bunch of programs that help interact with this - known as a "Shell". Bash stands for Bourne-Again Shell (it's a geek pun - the guy who wrote it was Stephen Bourne). It's basically a computer program that allows users to type commands and executes them. To this day, it's one of the most popular ways for system admins, computer programmers, and the technically-savvy of us, to execute complex commands on computers.
What is the problem? Who does it affect?
It is a serious bug that affects a lot of computers in the world. The obvious ones are Linux and the Mac OS X operating systems - which install 'bash' as standard. But that's not all - every router, wifi point, phone - from a Raspberry Pi to a Nuclear Power Plant Control Console - anything *could* have a copy of 'bash' installed. Even windows machines can have a version of bash installed for specific tasks (for use in the popular Cygwin suite for example). As this bug has been around for 20 odd years - so the main worry is for all the 'forgotten' machines could be hacked by nefarious outsiders.
The bug itself is quite simple - Bash has a feature where users can set "environment variables" and retrieve them later. Because Bash allows code to be administered remotely (a huge plus for us IT professionals) a computer remotely, Hackers can sneak their code into shell commands so that any time Bash is called up, it will trick the computer into treating a certain part of code as a command rather than just a string of letters and will carry out the infiltrating commands. An additional attack vector is the any program that calls the bash shell on the server - notable examples of this are the Apache webserver with mod cgi installed. Having both a vulnerable bash version installed and a web enabled system that allows it to be run remotely is going to allow a hacker into the system.
Why is this scary?
It gives hackers possible access to any computer installed in the last 20 years that isn't being looked after. They can tell a vulnerable machine to run spyware, send your private files to a remote server, deface websites, steal user data and send out spam etc. Not good.
Should you be worried?
Our clients can rest assured that we have done everything to protect our servers and have completed all necessary patches and are secure, and the vulnerability affects servers more than users' own computers, so although a concern, its not ‘deadly’ quite yet. One other aspect that makes it less concerning now the world is aware of it, is that it's very easy to find out if a machine is vulnerable - so we can quickly check our systems. If it’s your work computer you are concerned about - we would hope that your It specialists have already acted.
What should I be wary of whilst they find a fix?
It’s the same advice as I would give to someone without a ‘deadly’ virus on the loose.
Watch for security updates, particularly on OS X.
keep an eye on any advice you may get from your ISP or other providers of devices you have that run embedded software.
Be cautious of emails requesting information or instructing you to run software (these are often followed by phishing attacks that capitalise on consumers’ fears. )
Be very wary of an email from any unknown source that suddenly tells you to download a “fix” for Shellshock! It’s likely to be a hoax.
And if you are a client who would like some reassurance of what we have done and the safety of your servers, please do not hesitate to get in touch.