Reuters reported recently of a new security bug exploit dubbed “Shellshock”, which has began spreading like wildfire, creating mass hysteria among all who could comprehend the sheer scale of the threat.
Bash (aka the Bourne again shell) is one of the most installed software utilities on many Unix-based systems. A newly discovered exploit in Bash allows Hackers complete access to a targeted system running affected operating systems, including Linux and Mac OS X.
The scale of the attack is nothing short of gargantuan; roughly 67% of all servers on the internet run some form of Unix.
While it’s incredibly terrifying just how grave the exploit is, equally horrifying is how easy it is to take advantage of- the bug has been given a maximum rating of “10” for severity and rated “low” for complexity of explanation. It’s the holy grail of exploits that hackers have been waiting for.
Just off the top of our heads, individuals with malicious intent could quite simply issue a command to a targeted system, telling it to send its entire database full of sensitive personal data to a location the hacker can access. It’s quick, it’s dirty, and above all, it’s easy. Hackers with an imagination could pull off potentially more elaborate and sinister attacks that could go beyond anything we can comprehend.
Cyber experts are already warning that Shellshock could pose an even bigger threat than the “Heartbleed” bug that arose in April, and it’s not hard to see why. While the Heartbleed bug only allowed hackers to spy on computers, this new threat allows hackers to freely roam in computer systems to do as they please.
Fortunately, Red Hat has released a patch to fix the exploit for Linux, available here (As of the time this article was written, there has been no word on an OS X fix as of yet).
Within Ground Labs, we’ve also taken immediate action to patch our own systems which use any of the affected operating systems, and we would strongly advise all organisations running an affected platform to also take action immediately.
More importantly – if you outsource any function of your business involving the handling of your customer’s sensitive information, then you must ask your outsourcers – what are you doing in response to this latest exploit?
However, the Reuter article mentions the viewpoints of a few other security experts, who claim that the patch is “incomplete”. Chris Wysopal, the chief technology officer with security software maker Veracode, said that their company will “likely be taking other precautions to mitigate the potential for attacks in case the patches proved ineffective”.
This isn’t the first time a major security flaw affecting millions of systems has been found, and it won’t be the last. The core data security philosophy we stand by at Ground Labs reigns especially true for this situation – the best way to protect your customers data is to assume you’re going to be hacked – and then take steps to ensure no sensitive data exists which the bad guys can easily steal.
Ground Labs’ Enterprise Recon makes this exercise simple for organisations of all types. The sensitive data discovery tool scans systems for over 95 types of sensitive customer data, including credit card data, healthcare information and personal identification numbers. Once found, remediation can be performed to either delete, encrypt, mask or move the sensitive data somewhere secure.
If you need to do the same thing on a much larger scale across multiple servers and systems, take Enterprise Recon for a spin. You can search an entire network for sensitive data, and remediate problems from a single central location.
By frequently validating that you’re not storing any sensitive data that hackers are after, you are adding an entirely new layer of security. Many believe that data breaches are inevitable; if that is true, then making sure you’re clear of sensitive data is a solid way to avoid being the next data-breach headline.
Given that the entire world is on the clock to rebuild their defenses, what counts most now is speed. It’s literally a race against hackers for who can patch first vs. attack first.
Make sure you’re the former, and not on the receiving end of the latter.