Be Afraid of New Shellshock Exploit - Olmec Skip to main content

Be Afraid of New Shellshock Exploit

By September 29, 2014March 6th, 2023Blog, Technology News

eye-300x225We told you this day would come, and so it has. Remember all the warnings about how vulnerable the internet of objects was, because they lack even the most rudimentary of protections? Most people read those warnings and shrugged it off. Today, however, we’re waking up to a threat several times larger than Heartbleed. Most at risk? All of those poor, defenseless internet objects.

What Is Shellshock?

Shellshock is a command level bug in the Bash command line for Linux systems. It’s an unintended back door that allows hackers to take total control over un-patched devices. On the day the bug was found and announced, work began immediately patching the 51% of the world’s internet servers vulnerable to it, but of course, it wasn’t in time. A botnet attack managed to take control of a few servers using the exploit. That’s fairly minor, however. There’s a reliable infrastructure to patch servers quickly, so the damage there, while bad, will be limiting. There’s a great amount of urgency to close the door on this exploit at least where servers are concerned.

Even so, as of now, Google estimates that as many as two billion web pages could be at risk. That’s a significant chunk of the web. Yes, the door will get closed, but until it does, that’s an enormous risk, and because the hack is wormable, that means it can self-replicate, so it can spread very quickly. If it gets behind the firewall of any large network anywhere, it’s pretty much game over for that system.

We Have The Technology – Or Do We?

We are fortunate then, that there’s good infrastructure in place to handle server patching. That at least will mitigate the damage. However, there is one vast thing that has no infrastructure in place on which to put a patch. You guessed it. All those hundreds of millions of internet objects, and nearly all of them are vulnerable to this hack. Almost any of them can be taken over at will, at any time, by even a moderately skilled hacker, and once taken over, it can be nigh on impossible to get control back. Why? Because the overwhelming majority of those internet objects lack even the most basic network protections. Not only do we not have the means of patching them, but we can’t easily get control back if they get taken over by someone who doesn’t have your best interest at heart.

At least with Heartbleed, all the hackers exploiting the bug could do was steal data. In this case, they can outright commandeer hardware, and of course, in the process of doing so, make off with not just some, but literally all of your data too.

Attacks began in earnest just four and a half hours after the bug was announced. They are increasing in momentum. Right now, it’s a race against time, with server owners patching as fast as they can, trying to mitigate the damage. Even if they succeed in limiting the damage on the server side, all that’s going to do is cause the hackers to descend like wolves on the much more numerous collection of internet objects, for which there is little or no protection.

We told you this day was coming, and now, it’s here. This is the first, but you can bet it won’t be the last. Are you prepared for it? How safe are your objects on the internet?

If you are interested in more technical details of the exploit you can read about it here – http://lcamtuf.blogspot.co.nz/2014/09/quick-notes-about-bash-bug-its-impact.html

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.