Shellshock threat to computer systems


Tuesday 30 Sep 2014

The newly discovered computer software flaw, Shellshock, could threaten everything from large servers through to smart appliances in our homes, according to Charles Sturt University (CSU) cyber-security expert Dr Tanveer Zia.

Dr Tanveer ZiaDr Zia, who is the Associate Head of CSU's School of Computing and Mathematics, explains why the Shellshock or Bash Bug is considered such a threat and how we can protect ourselves.

The vulnerability

Shellshock or Bash Bug is a software vulnerability that has potential to impact the security of computer based systems at a scale larger than the Heartbleed Bug, which appeared in April this year.

 According to the National Vulnerability Database, maintained by The National Institute of Standards and Technology (NIST) in the United States, Shellshock is rated at level 10 (High) compared with Heartbleed which was rated at level 5 (Medium). 

The high vulnerability rating of this bug is due to its ability to threaten larger servers to which millions of users are connected. 

Unlike most computer attacks which target Windows based systems, this vulnerability is found in systems powered with Unix or Linux and Apple's Mac OS X operating systems. The bug does not seem to have affected Windows based systems and Apple's iOS, the operating system used in iPhones and iPads.

What does it mean for me?

What this means to an average computer user is that n web server, which hosts a website holding users' personal information, may be affected by this vulnerability if that web server is running an un-patched version of the Unix or Linux operating system.

When a web server is compromised, attackers do not just steal the confidential information they can take control of the system and cause more problems such as shutting down the servers.

From an end user point of view, this flaw has potential to affect broadband routers installed in our homes as well as domestic smart appliances such as refrigerators, temperature sensors and surveillance systems which are connected to the internet.

Unfortunately, many smart appliances are not designed to receive regular patches or updates if vulnerability is detected, unlike our smart phones which receive regular updates.

Who has the responsibility to fix this bug?

Given that the web server owners and internet service providers are most at risk from this bug, they should take corrective measures to apply patches immediately and inform users to apply the updates.

Although Apple claims that a vast majority of Mac users are not at risk, it is rushing to place patches and notify users for updates.

What should I do to prevent an attack?

Users running Windows based operating systems working locally do not to need worry.  However, the majority of users with inter-connected systems should take following precautions:

  1.  Keep an eye on updates from the service provider and apply updates immediately.
  2.  Contact the broadband router or smart appliance manufacturers and ask for operating system updates.
  3.  Be vigilant about the phishing emails, hackers will try to take advantage of the situation and lure innocent users to what appears to be a software update, but is in-fact a bogus website, in order to steel users' login and passwords.
  4. Consider changing passwords to important services such as financial institutions, online social networks, and eGovernment services such as MyGov, Centrelink, Medicare, and eTax.
  5. Monitor signs for unusual activities in accounts and unauthorised changes in online profiles.
  6. Opt for two factor authentication if it is available with the online business you deal with.
  7. Avoid clicking on 'doggy' pop up ads and unknown URLs.

Dr Zia is a senior lecturer in Computing and his research interests include network and cloud computing security, information assurance, protection against identity theft and forensic computing.


ends

Media contact: Mr Wes Ward, (02) 60519906

Media Note:

Dr Tanveer Zia is based at CSU's School of Computing and Mathematics in Wagga Wagga. Contact CSU Media to arrange interviews.