Shellshock , The Latest Mac OSX and Linux Vulnerabilty—

By: Solange_Desc1

Security researchers have discovered a new software bug known as the “Bash Bug” or “Shellshock,” or to those more technically “in-the-know” as GNU Bash Remote Code Execution Vulnerability (CVE-2014-6271)(link is external). This bug, more correctly termed, ‘vulnerability’, potentially allows attackers to gain control over targeted computers.

The bug is present in a piece of computer software called, Bash, that is typically found on computers running an operating system called Linux or Unix, of which there are many variations.  Generally this operating system is used to power server computers, such as the ones that many of the world’s websites run on. Also impacted are all Apple Mac computers that run Apple’s operating system, OSX. Computers running Microsoft Windows are not impacted by this vulnerability directly, but could be at risk if web servers are compromised.

 

Who Is Likely To Be Targeted By This Bug?

There are three likely targets:

  • We believe the primary target for this vulnerability is public facing web servers that have not yet been patched.
  • Any computer running Apple’s Mac OSX, server or your personal computer or laptop, is also vulnerable to attack if it has not been patched.  Also you should note that this bug does not affect computers running Microsoft Windows. They don’t run Bash.
  • Many routers and other Internet-connected devices that are running a variation of Linux or Unix.

So, What Is Bash?

Bash is a piece of software that is used to translate commands that a user types into actions that a computer can understand. In the early days of computing it was more common for users to directly enter commands; today, point and click user interfaces hide all of this.  However, many websites use scripts that contain a collection of such commands to automate interaction with the underlying computer.  On a Unix or Linux computer, if you have ever typed commands into a window that has a prompt that looks like this, then you are likely talking to Bash.

The Bash bug allows an attacker to bypass regular security controls to insert additional unauthorized commands; which could, in turn, allow the attacker to steal data or gain control over the web server computer or other device.

tw_shellshock

 

The Good News: It Hasn’t Been Widely Exploited…Yet

So far, there is no significant evidence that shows that this bug has been exploited in the wild. However, now that researchers have brought this vulnerability to light, cyber criminals may see this as their chance to take advantage of it. Now it’s up to software companies to quickly create and implement patches and updates, before hackers can reap their unscrupulous rewards.

Am I Affected By Shellshock?

We believe Web servers are the likely main targets for attack and it is likely that website owners are working quickly to patch their computers to guard against attack. Unfortunately, there is no easy way to tell which websites may have been attacked so as a general precautionary measure we recommend keeping an eye out for suspicious activity on the accounts you keep online, and periodically changing important passwords, like those to your email accounts, financial accounts and social networks.

Business owners that have professional websites should apply any available patches immediately.

If you’re a Windows user, your personal device is not vulnerable to this bug. Still, if a web server that runs on Linux has been compromised, and it holds your personal information, you may still be affected. If your personal device or computer runs on Linux or Unix (Mac OS), you may be susceptible, particularly if you are running an un-patched version of Linux or Mac OS.

What Precautions Should I Take To Defend Against Shellshock?

While the vast majority of the responsibility of thwarting cyber criminals from exploiting this bug lies on software companies and website owners, however, it is extremely important to make sure that all of your software remains up-to-date, as it often can contain security patches that will help keep your data secure.

Here are a few things that consumers can do to stay protected:

For all users:

  • We recommend keeping an eye on all of your accounts, on which you store personal information, for signs of unusual activity that may indicate that your account has been compromised.
  • Consider changing important passwords, like those to your email account, social networking sites, and financial accounts. Can’t think of a unique password? For important financial websites, enable 2-factor authentication.
  • Apply any available patches to routers, or any other web-enabled devices in your home, as soon as they become available. Remember though to only download patches and software from reputable sites and keep in mind that scammers will likely try to take advantage of Shellshock reports, so be sure to watch out for spam emails and suspicious links that tell you to download software.
  • Keep an eye out for updates from Apple and be sure apply available patches.

Remember Microsoft Windows computers are not susceptible to attack using this vulnerability.  

Firefox 32.0 fixes holes, shakes out some old SSL certs, introduces certificate pinning

by Paul Ducklin on September 3, 2014

 

image001

Yesterday was Firefox’s most recent Fortytwosday(updates come out every 42 days, on Tuesdays, in a nod to Douglas Adams), bringing us to Firefox 32.0.

For those who like to keep their feature set behind the leading edge, yet stay on top of security fixes, there’s also ESR 24.8 and ESR 31.1.

ESR is short for Extended Support Release; these versions are squarely aimed at organisations who need to balance user familiarity with network security, but they’re freely available, just like the mainstream version.

 

ESR releases have version numbers of the form X.Y, where X is the mainstream major version whose feature set they include, and X+Y is the current major version number of the leading-edge release.

What’s interesting in the ESR security notes for this update is that there are three critical vulnerability reports for ESR 31.1, but only two for ESR 24.8:

 

image002

That’s because the MFSA 2014-68 advisory doesn’t apply to the codebase that was frozen back at Firefox 24, meaning that the bug was introduced somewhere between versions 25 and 31 inclusive.

This reminds us quite visibly that security really is a journey, not a destination.

Certificate retirement

Another noteworthy point in this Fortytwosday is listed in the general Release Notes, rather than as a security fix:

image003

 

Removed and turned off trust bit for some 1024-bit root certificates

 

In cryptographic circles, digital certificates that use 1024-bit RSA keys are no longer considered safe.

That means that it’s no longer wise to trust root certificates that use 1024-bit keys, because a crook who can crack a root certificate key can then sign his own dodgy certificates (of any key length he likes) to give them a bogus imprimatur.

 

Remember that, for the most part, your browser implicitly trusts any certificate that is signed by a certificate it explicitly trusts.

→ RSA key sizes for public key encryption can’t be compared to AES key sizes for secret key encryption, where 128 bits is currently considered suitable. We explained why last year when Google officially doubled all its RSA key sizes from 1024 to 2048 bits.

image004

By the way, if you’re a user who likes to keep at least half an eye on what certifcates your browser trusts, you’ve probably found the certificate inspection dialogs in Firefox to be very frustrating.

You need to click into each certificate in turn (and there are hundreds of them) to view its details:

image005

If this has ever annoyed you, then you’ll probably find these links useful:

・         Mozilla Included CA Certificate List

・         Mozilla Included CA Certificates (in spreadsheet format)

・         Source code file of Mozilla built-in certificates

Perplexingly, Mozilla doesn’t yet seem to have removed all the 1024-bit root certificates in its built-in list of trusted Certificate Authorities.

Presuambly, however, that will happen soon.

Certificate pinning

Another useful new feature introduced in Firefox 32.0 is Public Key Pinning.

Loosely put, certificate pinning works by performing additional checks on HTTPS certificates from popular web properties, instead of checking merely that the certificates are vouched for by a trusted signer.

That’s why we carefully wrote above that your browser “for the most part” implicitly trusts certificates signed by explicitly trusted certificates.

Certificate pinning introduces a sort-of allow list approach by forcing some certificates to meet additional criteria, such as verifying who signed the certificate.

That way, a crook who wanted to create a bogus a Twitter certificate, for instance, couldn’t get his dodgy certificate signed by just anyone: he’d have to subvert the very same certificate authority (CA) that Twitter is known to use.

That’s not foolproof, of course, but it’s generally much harder to pwn a specific CA than to pwn any CA.

image006

Currently, Mozilla is pinning certificates only from itself and Twitter; pinning for Google, Firefox, TOR and Dropbox are promised in the next two releases.

10 Things I Know About Social Engineering

10. Don’t trust uniforms.

Wearing shirts with company logos on them can be enough to gain access to restricted areas. Verify that visitors really are who they say they are.

9. ID caller from IT.

If you receive a call offering IT support for a problem you didn’t know you had, get suspicious. That’s probably not Microsoft calling; it’s a scam known as pretexting.

8. Don’t phall for phishing.

Phishing is so common because people fall for it, but your bank will never ask you to change your password by following a link. Always type in Web addresses directly; don’t click on links.

7. Watch out for attachments.

Never open an attachment from an untrusted source, no matter how enticing. Even if you know the sender, it’s worth scanning that .ZIP file before you consider opening it.

6. You don’t have to be so nice.

“Tailgating” works because people don’t like to let the door close on the person behind them. But if you work in a secure building, your manners could cause a security breach.

5. Don’t fall for USB ‘bait.’

“Baiting” involves leaving a USB flash drive with an intriguing label on it lying around in the hope someone will stick it in their computer and unwittingly install malware or worse. Remember what curiosity did to the cat.

4. Say no to quid pro quo.

Quid pro quo scammers will offer you something enticing, like chocolates or a coupon, in return for information about you. If it sounds too good to be true, it is.

3. Verify ‘pleas.’

Requests for money to help a desperate friend or relative commonly come through hacked social media accounts. Contact the person before you send anything to make sure it’s really them.

2. Don’t be the weakest link.

You can have endpoint security systems in place with anti-virus, URL and content filtering, firewalls at the gateway and desktop, anti-malware, and more, but social engineering encourages you to bypass your own defenses.

1. Everyone needs educating.

Create a user awareness program on how to spot social engineering techniques. A healthy dose of suspicion could save a lot of time and money.

 

By Michelle Drolet, founder and CEO, Towerwall

Special to Worcester Business Journal Online
 

This article was recently published in Worcester Business Journal Online