Thursday, 25 September 2014

What you need to know about Shellshock internet bug


Shellshock bug is a devastating security flaw which could leave all devices, about half of all websites and even internet connected home appliances vulnerable to hackers.

What is the Shellshock bug?

Shellshock is a critical security flaw, which could allow web servers, Mac computers and countless other web-connected devices to be hijacked by hackers or malicious software.

The flaw is in a programme called Bash - which lets users issue commands to a computer using text input, rather than a graphic interface. It's thought the vulnerability has existed since 1989 - if not earlier - but was only discovered yesterday.

Most users never use Bash themselves, but it can be used in the background by web browsers, email apps, FTP (website upload) apps and hundreds more.

Is it like HeartBleed?

The Heartbleed bug allowed hackers to spy on millions of computers across the internet.

Shellshock is much, much worse - not only does it allow hackers to read information, it can write, copy and delete files - and worst of all, run programs, without the user ever knowing it's happened.

What kind of computers are affected?

Bash is most commonly found on computers running some Linux based operating systems.

While most desktop or laptop computers don't run Linux - about half of the website servers on the Internet run software called Apache, which uses Bash heavily.

On top of that, all Mac computers use Bash, too, so if you've got a MacBook or iMac, it's affected.

What about other devices?

Aside from Macs and web servers, the most common use for Linux systems is in connected home appliances.

Chances are your internet router, TV set top box or Smart TV all run a version of Linux which is vulnerable to the bug. Even worse, pretty much every internet connected light bulb or home door lock is vulnerable, and while people frequently update their computers to fix security flaws, who thinks about updating their light bulbs?

How could the bug be used by hackers?

Even in the simplest case - one hacker targeting one computer - the possibilities are almost endless. The bug could be used to read or send emails, copy personal data, turn on the computer's microphone or webcam, or install a keylogger to monitor what the user was typing.

Essentially, if it's something your computer will do without asking you for a password, someone can do it using this bug.

I have a Windows computer. Is my computer at risk?

If you have a Windows computer, probably not. Bash doesn't run natively on Windows, and it's not clear whether Windows conversions are vulnerable.

That said, pretty much every home with an internet connection is going to have a device running some flavour of Linux - be it a TV set top box or a router - so there's still a risk.

How bad could it get?

Above, we looked at the simplest scenario - an individual hacking a specifically targeted machine. Doing it that way is easy, and could have disastrous consequences.

The worst case scenario is that the flaw could be used to spread a virus or worm extremely quickly - and could do exactly the same things on a massive scale.

There's a reason the internet security community consider this a 10/10.

How do I fix it?

Apple haven't released a fix for this yet - but Mac users should look out for a system update shortly, and update as soon as it's available.

The same is true of pretty much any other device, too. If it's a home appliance connected to the internet over wi-fi or cable, users should contact their supplier and ask about a software update.

Be warned, though. Some nefarious people will always use a crisis like this to try and trick people with phishing emails. Be wary of any emails you receive asking for personal data, or recommending you run any software to fix the Shellshock bug. If in doubt, contact the manufacturer directly.





















No comments:

Post a Comment