“Bash Bug” Takes Another Bite Out of Our Security

Bash BugWhat is it?

The “Bash Bug,” also known as “Shellshock,” is a programming flaw that lets outsiders take control and install programs or run commands on computers and other devices.  This security flaw was assigned the highest severity rating of 10 on a 10-point scale by the National Institute of Standards and Technology.

The Bash bug has been compared to the recent Heartbleed vulnerability which exposed passwords and other sensitive data to hackers by exploiting systems running Open SSL.  Each of these bugs allows hackers to exploit a flaw in programming which affects millions of people.

Does it affect you?

The Bash bug can remotely execute code on systems that use Bash as their default shell.  A “shell” is a program which interprets the commands and instructions from users and program.  In other words, hackers can exploit the flaw to hijack a computer or device. Bash is the most prevalent command shell used by Linux and UNIX-based operating systems. Thus, the Bash vulnerability affects all Linux or UNIX servers and workstations and all types of devices with embedded Linux or UNIX operating systems including industrial equipment, power plants, municipal water systems, medical devices, routers, switches, firewalls, security cameras and smart appliances – that are connected to the internet. Many people may not even be aware that some of the appliances they use at home or at the office have an embedded Linux operating system.

Windows systems aren’t vulnerable and modern versions of the Apple MAC operating system called OS X are only vulnerable if the user has enabled the Advanced UNIX Services. If your system is running behind a firewall, the impact should be minimal. This vulnerability is more dangerous for web servers and devices which respond to Internet commands than for home computers.

The Bash bug could also deliver malware to anyone visiting a website hosted on a compromised server.  Yahoo confirmed that their games server had been compromised.  Lycos and Winzip servers have also been compromised.

What can you do about it?

The solution to close this security hole is to deploy an operating system patch which updates the Bash shell. Most embedded devices do not have any simple process for patching the internal Linux operating system and thus may remain vulnerable if connected to the internet. We recommend you call the manufacturer to inquire about their plans for updating the embedded operating system.

If your system is not yet patched, beware of malicious emails that try to convince you to run a program or to phish for your login credentials, as these will allow hackers to bypass your firewall.  This vulnerability highlights the need to have a real firewall, instead of just a router, even at home.

What is Stemp Doing?

Our clients use firewalls and secure remote access appliances that are Linux based.  Upon learning of this vulnerability, we immediately started a program of patching all affected devices.  These updates were performed during our night shift so as not to disrupt client operations during the day.  In addition, we sent a security alert email to our clients to inform them about the vulnerability.

You can count on Stemp to promptly address these types of issues.  Our philosophy is to continuously be on top of vendor patches and security updates.  We believe that this is the only way to maintain security and stability, and to improve performance across the network.

If you have any questions about how this vulnerability might affect any devices you own or use, call us.

Stemp Systems has been recognized as a NSCAM champion by the National Cyber Security Alliance (NCSA) recognizing our efforts to keep you safe.  This blog is an example of how we educate our users to be safe and secure.

Are You Secure Online? Stop and Think Before You Connect

It seems we spend more time online than we do offline these days.  We’re online at work doing research and using Salesforce, at home shopping and planning vacations, and on the road navigating from here to there and using social media.  Our personal information – from financial information to healthcare information to personal communications – the…

Technically Speaking, Technology Can Improve the Consent Process

Informed Consent is a vital process for protecting doctors against Malpractice claims.  The process involves four steps: 1.  Education of a patient about a medical procedure 2.  Presentation of the informed consent form 3.  A signature by the patient acknowledging consent to proceed with the procedure 4.  Documentation of this process Through education, the patient understands the…

Preparedness Planning is Top of Mind during National Preparedness Month

Would your business survive after a natural disaster or other catastrophe that destroyed your computer systems or erased your business data?  The questions is not “if it will happen.”  The question is “when.”  In fact, to remind us to prepare for natural disasters and other catastrophes, the government has declared September to be National Preparedness…

Preventing a Data Breach Caused by Human Error

How secure is your business data?  Does your company provide security training to your staff to protect your data? Most data breaches are caused by human error, making human error one of the greatest vulnerabilities in any company’s security.  Workforce training could have prevented many of the recent data breaches, which have been caused by…

(c) Ulistic Inc. | Search Engine Optimization Calgary | Calgary Small Business Marketing | Calgary Business Networking