BreachExchange mailing list archives
Shellshock Shocks Cyber-Security Companies Into Action
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 29 Sep 2014 18:47:34 -0600
http://www.bidnessetc.com/26374-shellshock-shocks-cybersecurity-companies-into-action/ Apple Inc. (AAPL), Symantec Corporation (SYMC) and several other major companies are working to fix the Shellshock bug that has found its way into a large number of computers connected to the Internet. The National Institute of Standards and Technology have rated its potential damage 10 out of 10 in terms of severity and complexity. Concerns continue to grow, as a group of top financial regulators warned banks that the bug could expose them to fraud and encouraged them to quickly find a solution. Bash, short for Bourne-Again Shell, is a free software that was developed in 1987 by a young programmer named Fox. The bug is believed to be the outcome of a flawed code written within the software that is being used by more than 70 percent of the machines connected to the Internet. The bug is not limited to computers, but other mobile devices and routers that use the software are also affected. The bug has gone unnoticed for the last two decades and could have been used by hackers and cybercriminals in the past. As soon as the bug was discovered, security researchers and cybercriminals immediately became active on the Internet. Cyber-security experts fear that hackers will soon develop a method that uses the Shellshock bug to infect computers and take over machines. The bigger concern is that millions of software codes, that were written years ago and form a major part of our technology products, could have this bug and hackers could potentially exploit them to their advantage. Although companies spend millions of dollars in writing code and developing new security software, they assume that the underlying components used in the software and its updates, that have been in use for several years, are not compromised. Hence, it is not surprising that bugs like Heartbleed, discovered last April, and Shellshock, are the result of errors in the underlying components that many security experts and tech companies use. The Shellshock bug is very different and much more dangerous than Heartbleed. Hackers could only use the Heartbleed bug to steal users’ passwords and confidential information through websites. With Shellshock, they can steal passwords and confidential information, and also infect websites and take over machines that are connected to the Internet. Users were instructed to change their passwords after the Heartbleed bug was discovered, but there is not much they can do when it comes to Shellshock, other than wait for companies to fix the bug and provide a security update. Many companies are working on a solution and are instructing their customers to take precautionary measures as well. Google Inc. (GOOGL) has fixed its internal serves and cloud-computing services, while Amazon.com, Inc. (AMZN) released a bulletin showing their customers how to mitigate the problem and use their machines safely. It is highly recommended for all users to update their antivirus software.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Shellshock Shocks Cyber-Security Companies Into Action Audrey McNeil (Oct 08)