Bash Full of Surprises

Bash full of surprises


Just when you thought that vulnerabilities could not get worse than the Heartbleed bug, (a serious vulnerability in the OpenSSL implementation of SSL cryptography, which can render a computer connected to the internet susceptible to have its communication intercepted by a third party, even when using a VPN) Shellshock bash rears its ugly head.

Bash is a command shell program that runs in UNIX and Linux devices. It’s been around long before the internet became what it is today, and currently it is inside more that 70% of devices that are connected to internet. Servers, computer, network devices, and android mobile devices all a form of Unix/Linux that uses Bash at its core. How bad can this vulnerability be, compared to Heartbleed? With the Heartbleed bug, OpenSSL was used by about two thirds of the webservers all over the world. That made them vulnerable to have their communications snooped on, which means an attacker could look at the data transmitted and steal passwords and other data. With the Bash ‘Shellshock’, it’s a whole ‘nother beast. In this case, an attacker could actually take over any device running Bash. Not just snoop and get data from it, but actually control it from afar.

This vulnerability affects UNIX and Linux systems, which includes Macintosh computers, Android devices, and many webservers around the world. This does not mean that your Mac computer or your Android Tablet can be easily hacked and taken over from anywhere. It would be necessary for the device to be in a public network and the attacker would have to know which network you are on in order to be able to take over your network connected device. The most likely targets of this exploit would be web servers.

The bug is estimated to have been created in 1992, 22 years ago, by an open-source enthusiast who maintained Bash after its original creator, Brian J. Fox, moved on to other things. Open source software has the advantage of having many knowledgeable programmers look over the same code and make sure that it is safe. If there is a bug, they report it and it gets patched. However, all the programmers are doing it as a hobby in their spare time. This does not mean that they cannot create new secure and quality code. It just means that some of the old code might go unchecked because the glory is in creating new and innovative software, rather than the difficult task of debugging older code.

TRA focuses on Medium size and SOHO (Small Office/Home Office) security. Our goal is to provide full IT support to growing small businesses who are too small to have a full time IT staff, yet big enough that they need one on a recurring basis. We have many highly satisfied customers in the Long Beach, Orange County, Southbay, and Los Angeles area. Contact us today, and let us take care of all of your computer and network security needs. Our prices are reasonable and our services are top notch. Call us today!