PDA

View Full Version : Shellshock: Panic at 'worst ever computer bug'



EE_
26th September 2014, 03:05 AM
Shellshock: Panic at 'worst ever computer bug' sees governments race to protect critical infrastructure

Consumers urged not to use credit cards online as cybersecurity experts say bug carries 'highest possible threat ratings'
Chris Green Author Biography , Oscar Williams-Grut

Friday 26 September 2014

A computer bug which could allow hackers to take control of hundreds of millions of devices all over the world has been discovered, forcing governments to take immediate steps to protect their critical infrastructure.

The security flaw, dubbed “Shellshock”, was found inside a piece of software called Bash, which is used by Apple’s Mac operating system as well as Linux systems and internet servers relied upon by governments, banks and the military.

Last night, cyber-security experts suggested that people should stop using their credit cards for online purchases until a solution to the bug, which has existed for more than 20 years, is found and distributed.

The UK’s national cyber-security response team, Cert-UK, has issued an alert to all government departments stating that the Shellshock flaw carried the “highest possible threat ratings… for both impact and exploitability”. The US National Cyber Security Division gave it a score of 10 out of 10 for severity and a complexity rating of low – meaning it is easy for hackers to exploit. Cert-UK added that it should be “assumed” that many government computers and other devices would be vulnerable to the bug, adding: “This will inevitably include organisations that are part of the critical national infrastructure.” Many industrial control systems, from power plants to traffic light systems, rely on Bash software to function.
Read more:
What is Shellshock and what can be done to stop it?

Cyber analysts said last night that authorities must act immediately to close the loophole, pointing out that within hours of it being discovered, hackers had started exploiting the flaw, posting videos of their exploits online. Although software “patches” have already been distributed to deal with the problem, they are not thought to be fully effective.

Professor Alan Woodward, a security researcher from the University of Surrey, said more than 500 million websites and hundreds of millions of devices all over the world, including wi-fi routers, may be vulnerable to the Shellshock bug. “The thing that’s concerning me most is that we don’t yet really understand how it can be exploited,” he said.

“What we’re going to see over the next few days is people working out how to exploit this, and you’ll start to see different types of attack. Is it that they can syphon off all sorts of sensitive data? Can they steal people’s passwords? We don’t know yet – the attacks are being developed as we speak.” David Jacoby, senior security researcher at internet security firm Kaspersky Lab, said: “The vulnerability is not targeting individuals, but servers hosted on the internet. This means that if, for example, your favourite e-commerce or banking website were vulnerable, the attackers could, in theory, compromise that server and gain access to your personal information, including maybe banking information.

“It’s very difficult to say exactly what platforms might be vulnerable and might have been targeted, but I would recommend that you do not actively use your credit card or share a lot of sensitive information for the next couple of days, until security researchers have been able to find out more information about this situation.”

Shellshock was initially compared to the “Heartbleed” bug reported in April, a web encryption flaw which went unnoticed for more than two years and could have given hackers access to an unlimited array of customers’ secure data.

But Kasper Lindegaard, director of research at computer security firm Secunia, said the bug inside Bash was far more dangerous. “Heartbleed only enabled hackers to extract information. Bash enables hackers to execute commands to take over your servers and systems. We have only seen the tip of the iceberg so far,” he said.

A spokesperson for the Cabinet Office said the Government’s computer security advisers were attempting to tackle the problem.

“Cert-UK is working with partners and industry to ensure that organisations are able to patch their systems as soon as possible. Government is also working to ensure that its own systems are secure,” they said.

http://www.independent.co.uk/life-style/gadgets-and-tech/news/shellshock-virus-panic-at-worst-ever-computer-bug-sees-governments-race-to-protect-critical-infrastructure-9756819.html

crimethink
26th September 2014, 03:09 AM
I suspect a lot of this electronic payment hacking is done by the Babylon System itself. Moving us closer to mandatory "secure payment systems." Like an implanted RFID. Or a Mark on the forehead or right hand.

Half Sense
26th September 2014, 07:22 AM
bash is just a command processor, a "shell" to run commands from. Why don't they just switch to csh or ksh? I do like the aliases in bash, but a traffic light doesn't need aliases.

7th trump
26th September 2014, 07:39 AM
I suspect a lot of this electronic payment hacking is done by the Babylon System itself. Moving us closer to mandatory "secure payment systems." Like an implanted RFID. Or a Mark on the forehead or right hand.

The mark of the beast is not a physical mark.....thought you were biblically literate?

crimethink
26th September 2014, 03:42 PM
The mark of the beast is not a physical mark.....thought you were biblically literate?

Only God knows if the Mark will be literal or figurative. Your insistence that it is not literal marks you as a potential false prophet.