Are you suffering from ShellShock?

LONDON, 25 September 2014 – In the last 24 hours, a security flaw in software that affects over 90% of the Internet, as well as hundreds of millions of computer devices including Apple devices has been discovered. Known as "ShellShock", the world is bracing itself for an impact significantly larger in magnitude than that felt from "Heartbleed" earlier this year. Here are 5 points to survive the after shock.

1. What is ShellShock?

This is name being given to a flaw discovered in the last 24 hours, in software called 'Bash' which is used to control the command prompt on many Unix-based operating systems such as Apple OS X and Linux. By exploiting the vulnerability hackers can take control of a targeted system as well as gain access to data and services in the cloud.

2. Does ShellShock affect me or my organisation?

The popularity of Apple, and moreover the significant use of the Linux operating system in everything from webservers and home routers, as well as industrial control systems, from power plants to traffic light systems, means that this security vulnerability is likely to affect nearly everyone.

3. How dangerous is ShellShock?

The US National Cyber Security Division gives ShellShock a score of 10 out of 10 for severity and a complexity rating of low – meaning it is easy for hackers to exploit. 

Cert-UK, the UK’s national cyber-security response team, has issued an alert to all government departments stating that the ShellShock flaw carried the “highest possible threat ratings… for both impact and exploitability”.

The fallout from ShellShock, like Heartbleed, will take place over months or years, but whilst Heartbleed could only spy on devices, ShellShock has the ability to control them. It's still early days, but reports have already started emerging of identified DDoS attempts to exploit the vulnerability.

4. How do I know if I'm in danger?

It's very likely that if you or your organisation use computers that run a Unix based operating systems such as an Apple Macbook, or if your organisation runs unix based systems, then the threat of ShellShock is a very clear and present danger. If you are not aware that your devices have been sufficiently patched, and the vulnerabilty removed/circumvented, then it is advisable to contact experts such as Infosec Partners for a full security audit.

5. What can I do to protect myself?

Both your in-house systems and cloud solutions need to be audited to identify their exposure to this bash vulnerability. Patches are being developed but at the time of writing, Apple has yet to officially release one, which means that manual solutions can be implemented to circumvent or nullify the threats.

Additional general advise includes not using credit cards online or disclosing personal information online for the next few days, as hackers will be looking to take advantage of this flaw at the very earliest opportunity. Similarly, we also recommended standard practice such as updating anti-malware solutions and not visiting dodgy websites.

As a trusted adviser to significant organizations, Infosec Partners has a track record of successfully mobilizing teams of consultants and technical experts to audit, assess and resolve security vulnerabilities such as ShellShock. Contact us now to reduce your exposure to a threat that many expect will be bigger than Heartbleed.