Tuesday, 14 October 2014

Has Shellshock made the internet unsafe?

Shellshock

A new security vulnerability affecting more computers than the Heartbleed bug allows hackers to steal your information from banks, routers and security cameras.

For the second time this year, security experts have discovered a widespread flaw that places the safety of the internet – and the personal information you store on it – in doubt.

The latest vulnerability is called Shellshock, and it affects more computers than Heartbleed – a flaw discovered in April that let hackers extract passwords from hundreds of thousands of the world’s most popular websites.


Shellshock is so serious that the US National Cyber Security Division rated it 10 out of 10 for both ‘exploitability’ and ‘potential impact’. The reason it’s considered such a threat is that the flaw lets hackers take control of software that is used by millions of web servers and internetconnected devices – and it’s much easier to exploit than the Heartbleed bug.

The threat goes beyond websites and home devices. The UK government said Shellshock could affect “critical national infrastructure”, such as power plants and hospitals, if companies and organisations didn’t respond quickly.

The software to blame is Bash, which is a Unix shell used by Linux, Apple’s OS X and other less popular operating systems. Like Command Prompt in Windows, Bash lets you control your PC using text commands rather than the traditional Desktop. Windows doesn’t use Bash, so hackers can’t exploit Shellshock to take control of Windows PCs (unlike Ubuntu and OS X users, who could’ve been infiltrated until both operating systems were patched).

But that doesn’t mean Windows users can breathe easily. If a hacker exploits the Bash flaw to infiltrate a web server, they can steal your personal information from a website running on it. If that site happens to be a bank, then the hacker could cause serious damage. The rewards for hackers are huge. Until companies fix the Bash flaw, you’re at risk.

Many companies, including Apple, have now patched the flaw in their software, but there are still millions of routers, security cameras and other internet-connected devices that use the Bash code. Thankfully, Virgin, TalkTalk, BT and Sky routers are unaffected because their firmware uses BusyBox, an alternative interface to Bash. If you use another company’s router, contact them to find out if they’re affected by Shellshock.

So are you at risk every time you go online? The answer is yes, if you use a router made by a company that has an unpatched version of Bash. If your router is safe, then your safety depends on the security of the web server running the websites you’re visiting, and that’s something you really shouldn’t have to worry about. Like so many security threats, this is unnerving because it makes you feel powerless. It’s a reminder that using the internet will always be a question of placing your trust in the security of websites and tech companies.

But things can improve. Like OpenSSL – the code in which Heartbleed was found – Bash is maintained by a small team of people and isn’t regularly updated. Major companies and governments need to show more support for these internet functions if we’re to avoid further disastrous flaws that jeopardise our online security.

THE FACTS

• Shellshock is an easily exploitable security flaw that exists in Bash, a Unix shell used by Linux and Apple’s OS X
• Hackers could use Bash to break into the servers of banks and hospitals to steal your personal information
• It’s rated 10 out of 10 for both exploitability and impact by the US National Cyber Security Division