It’s been a little over a week since security researchers discovered the Shellshock bug that allows hackers to remotely take over web servers and other devices. But is there really anything to fear or is it just another over hyped security vulnerability?
Let’s take a look at some numbers. The web-optimization company CloudFlare reported that it has blocked over 1.1 million Shellshock-based attacks since last week. 83% of those attacks are classified as “reconnaissance attacks,” which means hackers are probing for sites that are vulnerable. Over 80% of the attacks came from France with the US and Netherlands tied at 7% each.
For now, a majority of the attacks seems to be hackers trying to figure out how to use the Shellshock bug to exploit servers to do what they want. CloudFlare says many attacks are trying simple things like forcing a server to open its CD/DVD tray but more serious attacks are also being attempted.
One example is an attack where a hacker sends a command to have the web server go to sleep. By repeatedly sending this request to the server, the server struggles to keep up with legitimate requests, which results in a website being taken down. This kind of attack is called a denial of service, which prevents requests from legitimate website viewers from going through. This results in websites displaying errors that the server cannot be found.
While a majority of attacks are being directed toward websites, other attacks are targeting devices that have a web-based interface. This means hackers are trying to exploit laptops, thermostats, set-top boxes, network attached storage devices and other devices that are vulnerable to Shellshock.
Network attached storage manufacturer QNAP went as far as telling customers to disconnect their NAS boxes from the internet until a permanent Shellshock patch is found. This is extremely frustrating for customers as connecting to the internet to access their private files remotely is one of the biggest reasons to get a NAS in the first place.
However, not all hope is lost. Apple issued a patch for the Shellshock bug last week, even after claiming a majority of its users were unaffected by the bug. Still, some security researchers believe Apple’s patch is incomplete, as with many other patches issued by other companies.
The open-source software company Red Hat issued an incomplete patch immediately after the discovery of the Shellshock bug. The company has since completed patching the vulnerability but it shows that even seasoned companies are having a hard time patching the bug effectively.
So what can you do to protect yourself? Carefully watch for updates to your computer and other devices. Shellshock affects more than just a single type of device since Bash is used by so many types of devices.
But most importantly, don’t become jaded by the doom and gloom of headlines about security vulnerabilities like Heartbleed and Shellshock. Here’s what Mark Nunnikhoven, Vice President of Cloud and Emerging Technologies at Trend Micro, had to say about Shellshock.
“Shellshock is extremely serious. It merits 100% of the attention it’s currently garnering in the public view…Even with a bug this serious, some people have still managed to make hyperbolic claims about it’s impact. That doesn’t do anyone any good. Sensationalizing this very real issue polarizes the discussion needlessly and that leaves us all more exposed than we already are. Any time you have a complex issue, it’s difficult to relate the details to a wider audience. Unfortunately, people respond to dramatic claims more often than to nuanced ones. This won’t be the end of the internet but it is a very serious issue and one that needs to be addressed immediately.”
At the end of the day, no system is completely secure but that doesn’t mean we should give up hope and let hackers have their way. Instead, we should all take steps to stay as secure as possible. Be diligent about updates and understand how and why these attacks are happening.
If there’s anything we should take away from the Shellshock and Heartbleed vulnerabilities is that we are increasingly relying on the internet for our lives. Companies need to start taking security seriously so that our private pictures don’t leak onto the internet. But we should also take responsibility for ourselves and understand what is safe and what is dangerous.
Follow me on Twitter: @lewisleong