Shellshock Shocks Cyber-Security Companies Into Action

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bidnessetc.com/26374-shellshock-shocks-cybersecurity-companies-into-action/

Apple Inc. (AAPL), Symantec Corporation (SYMC) and several other major
companies are working to fix the Shellshock bug that has found its way into
a large number of computers connected to the Internet. The National
Institute of Standards and Technology have rated its potential damage 10
out of 10 in terms of severity and complexity. Concerns continue to grow,
as a group of top financial regulators warned banks that the bug could
expose them to fraud and encouraged them to quickly find a solution.

Bash, short for Bourne-Again Shell, is a free software that was developed
in 1987 by a young programmer named Fox. The bug is believed to be the
outcome of a flawed code written within the software that is being used by
more than 70 percent of the machines connected to the Internet. The bug is
not limited to computers, but other mobile devices and routers that use the
software are also affected. The bug has gone unnoticed for the last two
decades and could have been used by hackers and cybercriminals in the past.

As soon as the bug was discovered, security researchers and cybercriminals
immediately became active on the Internet. Cyber-security experts fear that
hackers will soon develop a method that uses the Shellshock bug to infect
computers and take over machines. The bigger concern is that millions of
software codes, that were written years ago and form a major part of our
technology products, could have this bug and hackers could potentially
exploit them to their advantage.

Although companies spend millions of dollars in writing code and developing
new security software, they assume that the underlying components used in
the software and its updates, that have been in use for several years, are
not compromised. Hence, it is not surprising that bugs like Heartbleed,
discovered last April, and Shellshock, are the result of errors in the
underlying components that many security experts and tech companies use.

The Shellshock bug is very different and much more dangerous than
Heartbleed. Hackers could only use the Heartbleed bug to steal users’
passwords and confidential information through websites. With Shellshock,
they can steal passwords and confidential information, and also infect
websites and take over machines that are connected to the Internet.

Users were instructed to change their passwords after the Heartbleed bug
was discovered, but there is not much they can do when it comes to
Shellshock, other than wait for companies to fix the bug and provide a
security update. Many companies are working on a solution and are
instructing their customers to take precautionary measures as well. Google
Inc. (GOOGL) has fixed its internal serves and cloud-computing services,
while Amazon.com, Inc. (AMZN) released a bulletin showing their customers
how to mitigate the problem and use their machines safely. It is highly
recommended for all users to update their antivirus software.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!