Wednesday, September 24, 2014

NEWS: 'Bash' bug could let hackers attack through a light bulb

Say hello to the bash bug, a lesson in why Internet-connected devices are inherently unsafe.

Computer security researchers have discovered a flaw in the way many devices communicate over the Internet. At its most basic, it lets someone hack every Internet-enabled device in your house -- via something as simple as your light bulb.

That is, if you're one of those tech-embracing types who buys Internet-connected "smart" appliances.
But that includes a rapidly growing number of businesses and governments that use smart devices -- like cameras -- within their internal networks.



Why fear the bash bug? Because it's so pervasive.

According to open source software company Red Hat, it affects any device that uses the operating system Linux -- which includes everything from calculators to cars. But it also affects Apple (AAPL, Tech30) Macs and some Android, Windows and IBM machines.

In a public warning, Red Hat researchers classified the severity of the bug as "catastrophic."

Not every connected device is vulnerable. But it's difficult for the average person to figure out if, for instance, their home security camera is at risk.

The problem is new enough that it's impossible to know if hackers are already using it. But if it's anything like the Heartbleed bug discovered earlier this year, we might not see damage for months. And when we do, it could be disastrous.

In the case of Heartbleed, hackers eventually broke into a hospital network and stole 4.5 million patient records -- including Social Security numbers.

The only solution for the bash bug? If and when a patch becomes available, update every device you have. But that's something that's not likely. Companies don't often update their fleet of devices, and customers rarely pay attention for that sort of thing.

UPDATE:
As of 9:00AM EST: We detected mass scanning of servers for the vulnerability in our OSINT-X system. The initial results look like 83% of Internet connected devices are vulnerable.

As of 11:08AM EST: We have been informed that Red Hat's previous patches are not effective against this attack. Oracle, Ubuntu and Juniper are releasing patches to address the issue. Red Hat has not released an update yet.  

As of 12:53PM EST: We are starting to see reports of botnet activity being alerted on as a direct result of this vulnerability. Several clients have called in to ask for assistance in containing the issue.

Snort Signature for Detection:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”Volex – Possible CVE-2014-6271 bash Vulnerability Requested (header) “; flow:established,to_server; content:”() {“; http_header;  threshold:type limit, track by_src, count 1, seconds 120; sid:2014092401;) 

ADDITIONAL INFORMATION:

New bash bug could wreak havoc on Linux and OS X systems

MalwareBytes Blog

​'Bigger than Heartbleed': Bash bug could leave IT systems in shellshock

CNET News

Update on CVE-2014-6271: Vulnerability in bash (shellshock), (Thu, Sep 25th)

SANS RSS Feeds

Franchising complicates Jimmy John’s breach investiagtion as their POS vendor creds are comp'd: 2 months to notify

Team Cymru Security News  

No comments:

Post a Comment