Cyberwars: “Bigger than Heartbleed”

Shellshock-bash-header-664x374Just months after the Heartbleed bug made waves across the internet, a new security flaw has emerged which threatens to compromise everything from major servers to connected cameras. It is known as the Bash or Shellshock bug, a quarter-century old vulnerability that could put everything from major internet companies and small-scale web hosts to wi-fi connected devices at risk.

This  flaw allows malicious code execution within the bash shell – commonly accessed through Command Prompt on PC or Mac’s Terminal application – to take over an operating system and access confidential information. According to the open-source software company Red Hat, bash shells are run in the background of many programs, and the bug is triggered when extra code is added within the lines of Bash code.

heartbleed-iconBecause the bug interacts with a large percentage of software currently in use, and does in ways that are unexpected, Robert Graham – an internet security expert – claims that the Bash bug is bigger than Heartbleed. As he explained it:

We’ll never be able to catalogue all the software out there that is vulnerable to the Bash bug. While the known systems (like your Web server) are patched, unknown systems remain unpatched. We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable.

According to a report filed by Ars Technica, the vulnerability could affect Unix and Linux devices, as well as hardware running Max OS X – particularly Mac OS X Mavericks (version 10.9.4). Graham warned that the Bash bug was also particularly dangerous for connected devices because their software is built using Bash scripts, which are less likely to be patched and more likely to expose the vulnerability to the outside world.

shellshock_bashAnd since the bug has existed for some two and a half decades, a great number of older devices will be vulnerable and need to be patched because of it. By contrast, The Heartbleed bug was introduced into OpenSSL more than two years ago, allowing random bits of memory to be retrieved from impacted servers. And according to security researcher Bruce Schneier, roughly half a million websites could be vulnerable.

For the time being, the administrative solution is to apply patches to your operating system. Tod Beardsley, an engineering manager at security firm Rapid7, claims that even though the vulnerability’s complexity is low, the level of danger it poses is severe. In addition, the wide range of devices affected by the bug make it essential that system administrators apply patches immediately.

cyber_virusAs Beardsley explained during an interview with CNET:

This vulnerability is potentially a very big deal. It’s rated a 10 for severity, meaning it has maximum impact, and ‘low’ for complexity of exploitation — meaning it’s pretty easy for attackers to use it… The affected software, Bash, is widely used so attackers can use this vulnerability to remotely execute a huge variety of devices and Web servers. Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes etc. Anybody with systems using bash needs to deploy the patch immediately.

Attackers can potentially take over the operating system, access confidential information, and make changes. After conducting a scan of the internet to test for the vulnerability, Graham reported that the bug “can easily worm past firewalls and infect lots of systems” which he says would be “‘game over’ for large networks”. Similar to Beardsley, Graham said the problem needed immediate attention.

cyber-hackIn the meantime, Graham advised people to do the following:

Scan your network for things like Telnet, FTP, and old versions of Apache (masscan is extremely useful for this). Anything that responds is probably an old device needing a Bash patch. And, since most of them can’t be patched, you are likely screwed.

How lovely! But then again, these sorts of exploitable vulnerabilities are likely to continue to pop up until we rethink how the internet is run. As the Heartbleed bug demonstrated, the problem at the heart (no pun!) of it all is that vast swaths of the internet run on open-source software that is created by only a handful of people who are paid very little (and sometimes, not at all) for performing this lucrative job.

In addition, there is a terrible lack of oversight and protection when it comes to the internet’s infrastructure. Rather than problems being addressed in an open-source manner after they emerge, there needs to be a responsible body of committed and qualified individuals who have the ability to predict problems in advance, propose possible solutions, and come up with a set of minimum standards and regulations.

cryptographyEnsuring that it is international body would also be advisable. For as the Snowden leaks demonstrated, so much of the internet is controlled the United States. And as always, people need to maintain a degree of vigilance, and seek out information – which is being updated on a regular basis – on how they might address any possible vulnerabilities in their own software.

I can remember reading not long ago that the growing amount of cyber-attacks would soon cause people to suffer from “alert fatigue”. Well, those words are ringing in my ears, as it seems that a growing awareness of our internet’s flaws is likely to lead to “bug fatique” as well. Hopefully, it will also urge people to action and lead to some significant reforms in how the internet is structured and administered.

Source: cnet.com, arstechnica.com, blog.erratasec.com, securityblog.redhat.com

Data Miners – Chapter 11

Wednesday morning.

It’s been another hasty ride to work to get in on time. Prad hasn’t showered since Monday and is feeling the grime encroach on him again. His head is reeling from the dual assault of purple haze and not enough sleep. Working through code this morning is difficult, proceeding at one keystroke per minute. He has no desire to be looking at TPS reports right now or anything in Macro format for that matter. The few hours of sleep and the buzz he got from his last joint have not cured the case of busy-brain he contracted last night. He was hoping the light of day might make things a bit more clear, but if anything, it’s made it worse. Whereas the busy-brain kept him from sleep last night, it is now keeping him from work.

By ten thirty, he examines how much work he’s actually done and decides it’s futile. He half-wishes he brought the book with him just so he could peruse it. Then he wouldn’t be so fixated on it! Somehow, the mind had a way of obsessing over the things that the body didn’t have immediate access to.

He needs a distraction. Minimizing his work in his task tray, he pulls up his email and checks to see if anyone has written to him since yesterday. Sure enough, they are a couple new hits in his Inbox. One from Sa’id, one from the adult dating site, and even one from Angie. A few spam mails between, more offers for downloadable software and movies. He’s too excited to move these to his spam folder and goes right for the one from Angie. The subject line says it all.

>To: Prad123@yahoo.com
>From: AngCpr@gmail.com
>Subject: Bit weird huh?

>Hey Prad. Sorry for the misunderstanding last night. Had no idea you got a copy of Germaine’s book too. I suppose I can understand your >confusion, it was a bit weird of him to just start reaching out like that, right from the blue? Anyway, no worries, Scott and I kind of got a kick >out of it. We were also a little worried after you left, figured you might have been embarrassed. One other thing, have you heard anything about >the dear old prof? I was kind of wondering if he was still with us. It might be nice to find him and say hi one last time.

>Anglmrk

Prad feels incredibly warm and giddy inside all of a sudden. He notices she didn’t use his first name, but oh the tenderness implied in that email! And the fact that she thought to write him the morning after! The time on it indicates that she wrote it less than an hour ago, most likely while bored at work. He reads it again and notices the mention of Scott, the royal we that follows in his wake too. He could live without that, but even the presence of that five letter fun stopper can’t spoil his mood now. He opens up the one from Sa’id next. A sense of fraternal duty tells him he should do this before composing a gushy response to the boss-lady.

The subject line of Sa’id’s email is quite telling. He notes instantly the diminished punctuation and grammar as well. Clearly a step down from Angie’s message.

>To: Prad123@yahoo.com
>From: SdN72@hotmail.com
>Subject: thanks dude!

>hey dude thanks again for the ride home last night woke up with a wicked hangover how bout you. My landlady sez i made terrible noise last >night must have been when i woke up to puke my guts up good time all around though. shit that things got a bit heavy there for some people >isn’t it hate to see our people not getting along but have you heard the news? The fecking feds just made a release bout the whole dangle thing >and say that they think the >whole thing was faked but wont say nothing about how they got them or where the leak came from. dumbasses >huh only make things worse for themselves! ps what was with that whole thing in Angie’s room why were in there second time around i mean I >know what you were doing the first time pervert! take care, can’t wait for five oclock to roll around

>Sandngrr

Now he feels momentarily sidetracked. He did not hear that, must have left the radio off in his car this morning, or had it tuned to music. He really can’t remember. The only other time he ever catches the news is on the web, or by word of mouth. And on both fronts he’s been a little out of touch, at least for the last twenty four hours.

The email from the dating site now looms in his field of vision like a burning bush. He desperately wants to check it, to see who took an interest in his profile and what they look like/have to say for themselves. But he doesn’t want to keep Angie waiting. A message from her in his Inbox is like finding her at his front door, or so he imagines. Leaving her waiting would be nothing short of criminal. Going back to Angie’s message, he hits the Reply button and begins composing. He does his best to emulate the proper style with which she emailed him, not to mention the tone he established last night. If acting mature gets her to email him, he’ll ride that pony to the ends of the earth!

To: AngCpr@gmail.com
Subject: Re: Bit weird huh?

Hey Angie. Don’t worry about it. It is I who should apologize for breaking in on you like that. I suppose these things happen. Sad to say, I can’t tell anything new about the prof. Last I heard, he got diagnosed and decided not to go the treatment route. Sad huh, but what can you do? One question though, are you absolutely sure he was the one who sent those books? I suppose it stands to reason, but why didn’t he send a real note or at least a return address? Oh well, talk to you soon. Take care, say hi to Scott.

Thaiwrrr

He grabs the mouse, his finger poised above the “Send” button. That’s when he realizes that his own inquiry is worth following up on. Not just idle chit chat, someone really ought to see if anyone else who was in their class or studied under Germaine at MIT also got copies of that book. He checks his address folder to see if he has any old email addresses. He’s still got the names of a few old friends there, but most of the addresses are old IST accounts. Prad shakes his head. Those accounts probably haven’t been used in over five years. Someday soon he must do a cleanup of his contact folder.

Luckily, he still has some hotmail and yahoo accounts for some people he used to hang out with: Lena, Mark, Josée, and Andrea. They were all pretty cool, but not too cool. They hung around with him, after all. If ever he were to be completely honest, he would admit that they were the people he fell in with because of his inability to get in with the truly cool crowd. Nevertheless, they are all MIT alumni and people who studied under Germaine. Surely they would be on his contact list if he wanted to start sending gift packages around. Clicking on the box beside each of their names, he adds them all to the recipient’s field before typing off a friendly generic message.

Hello all, sorry to drop in on you like this after such a long absence. But something’s come up with I feel concerns us all. I am, of course, referring to Professor Germaine’s illness. I’m sure you’ve all heard how our dear teacher is not long for this world. Last I heard, he’s got a few months tops before he… you know. Well, it may be that he’s decided to reach out to some of us before that happens. Angie and I both received copies of the millennial edition of Ghost in the Machine, the one with his foreword. We’re not sure, but we think he sent them to us. As fellow alumni sts, I was wondering if any of you got similar packages. If so, did it come with a note that contained more than just simple instructions? Angie and I would appreciate any info you have, as it would resolve this dilemma for us.

Thaiwrrr

He hits “Send” and moves onto his last message. It’s about time too. A response of this kind can only be exciting. His palms would be sweaty if he were a lesser man, or just a little cleaner. His pores are too clogged right now, luckily his armpits and crotch appear to be overcompensating.

>Prad123, you’ve received a profile message from Kittyhawk69:
>“Hi. Liked your profile, I think Asian guys are super hot! Come check >me out!”
>Follow the link below to see the full message and access their profile:

Prad immediately clicks on the site’s link to have a gander. Sure enough, for her pic, Kittyhawk69 lives up to the name. Her preferences send his heart into another tail spin: Hot chat, one on one, threesomes, toys and discreet relationship. His mind and libido begin the age old dance, the former insisting she’s a dude, the latter telling the former to shut up.

Yep, he agrees, too good to be true. But what harm can a little extended chat, via webcam to confirm she’s actually a woman, followed by a little meet and greet at a neutral site do?

You could end up with a disease, or finding a penis tucked under her ass! His mind tells him. But what has his mind done for him lately other than keep him in this dead end job? Another look at her preferences, cross-referenced with her other pics, ends the debate quickly.

Shut up, mind!