10/07/2014
Shellshock and Heartbleed: Are You At Risk?
By the time news of most exploits hit mainstream media, the exploits have long been "in the wild," infecting computers the world over.
By this time, the media seizes on the news and goes after it like a pack of sharks who've smelled blood in the water.
So, are these exploits worth being worried about?
Let's get the answer to this question by asking two more:
Heatbleed and Shellshock are very different exploits, each with different attack methods and each with different techniques needed to thwart them.
Let's start with:
If one of these websites hasn't patched this vulnerability and you access it over a secure (https) connection, attackers can intercept your (otherwise secure) communication with that website, decode the information, and impersonate you with that server.
Confused? Let me put it in real world terms.
Let's say you go to your bank or credit card online.
You put in your username and password, do your business, and get on with your day. Fine. Or so you thought.
Meanwhile, silently in the background someone was listening in right through the "secure" connetion and stealing your username and password.
And, as you've moved on to other sites and the rest of the day, the bad guys are now logging into your bank account, and draining it.
It's not just bank accounts either.
According to the highly regarded Netcraft, over 500,000 widely trusted websites were vulnerable. No doubt some of them still are.
Many websites you visit to check your email or log into to conduct personal business is potentially vulnerable.
Now, some good news.
I recommend you take a look at Tom's Guide for complete details, but here's the list in condensed fashion (with some edits I've thrown in for good measure.)
Without boring you to tears with all the technical details of Shellshock, let's just address the important question here: are you at risk?
Unless you're running Cygwin on Windows, Xcode on OS X, or a Linux/BSD variant, chances are no. (If you don't know what these are, you're probably not at risk, since they aren't built into Windows or OSX.)
The bigger problem though is that many, many of the web sites you visit daily are (or at least were) vulnerable.
On top of that, unlike Heartbleed, where there's a very small risk of the server itself being compromised, Shellshock by design does compromise vulnerable servers and allows attackers to take them over.
In an outstanding article on Shellshock by Troy Hunt, he says,
HOWEVER, it does mean that many ordinary websites out there that we all think are safe and virus free are now places that are vulnerable to attack and that, once compromised, can harbor malware used to infect ordinary users' computers.
This is a strong case for considering Internet Security software over garden varity antivirus.
The two things most commonly found in Internet Security software absent in most antivirus programs are:
By this time, the media seizes on the news and goes after it like a pack of sharks who've smelled blood in the water.
So, are these exploits worth being worried about?
Let's get the answer to this question by asking two more:
- Are you at risk?
- What's the best way to protect yourself?
Let's start with:
What Is Heartbleed?
Although not a virus or malware in the traditional sense, the heartbleed vulnerability is a mechanism by which attackers can gain accesss to your confidential information when you access vulnerable websites, email, and other servers.If one of these websites hasn't patched this vulnerability and you access it over a secure (https) connection, attackers can intercept your (otherwise secure) communication with that website, decode the information, and impersonate you with that server.
Confused? Let me put it in real world terms.
Let's say you go to your bank or credit card online.
You put in your username and password, do your business, and get on with your day. Fine. Or so you thought.
Meanwhile, silently in the background someone was listening in right through the "secure" connetion and stealing your username and password.
And, as you've moved on to other sites and the rest of the day, the bad guys are now logging into your bank account, and draining it.
It's not just bank accounts either.
According to the highly regarded Netcraft, over 500,000 widely trusted websites were vulnerable. No doubt some of them still are.
Many websites you visit to check your email or log into to conduct personal business is potentially vulnerable.
Now, some good news.
- Microsoft web server are not vulnerable. (This doesn't mean people using Windows as their desktop OS aren't vulnerable. It just means the web sites themselves aren't.
- Most banks and other financial institutions that were at risk have now patched their servers, eliminating the vulnerability.
- There's a Plug-In for Google's Chrome Browser called, "Chromebleed," that tests for the vulnerability.
I recommend you take a look at Tom's Guide for complete details, but here's the list in condensed fashion (with some edits I've thrown in for good measure.)
- Change your Google, Facebook, Yahoo!, and Dropbox passwords.
- Log out of all apps on your phone, iPad, etc., then log back in.
- If a website asks you to update your password, do it.
- Update your OS (regardless of what you run, Windows, Mac, Linux, BSD, whatever.
- Set up two-factor authentication. (This is just a smart thing to do anyway.)
What About Shellshock?
Shellshock, also called "Bashdoor," is an attack, primarily on servers, that leverages a series of flaws in software called, "Bash," that's commonly installed on web, email, and other servers.Without boring you to tears with all the technical details of Shellshock, let's just address the important question here: are you at risk?
Unless you're running Cygwin on Windows, Xcode on OS X, or a Linux/BSD variant, chances are no. (If you don't know what these are, you're probably not at risk, since they aren't built into Windows or OSX.)
The bigger problem though is that many, many of the web sites you visit daily are (or at least were) vulnerable.
On top of that, unlike Heartbleed, where there's a very small risk of the server itself being compromised, Shellshock by design does compromise vulnerable servers and allows attackers to take them over.
In an outstanding article on Shellshock by Troy Hunt, he says,
The worry with Shellshock is that an attack of this nature could replicate at an alarming rate, particularly early on while the majority of machines remain at risk.
"In theory, this could take the form of an infected machine scanning for other targets and propagating the attack to them.
OK, brass tacks, what does this mean?
First, it means your computers, laptops, phones, and tablets are probably not directly vulnerable.HOWEVER, it does mean that many ordinary websites out there that we all think are safe and virus free are now places that are vulnerable to attack and that, once compromised, can harbor malware used to infect ordinary users' computers.
This is a strong case for considering Internet Security software over garden varity antivirus.
The two things most commonly found in Internet Security software absent in most antivirus programs are:
- malicious website blocking
- software firewall