by | | 0 comment(s)

What is the Shellshock exploit? A wake up call.


The Shellshock exploit, or Bash Bug, has gotten a fair amount of attention, as a serious vulnerability that could allow hackers to take control of a computer system, may that be a Mac, or a Unix-based operating system, such as Linux.

How does it actually work, and how much damage can one expect?

Before answering these questions, we must ask ourselves: is Shellshock a bug?

The answer, is no. The news reported it as a bug. Many tech blogs and similar outlets called it a bug.

Shellshock is not a bug. Not even close.

A bug is a mistake in programming. An error. A glitch.

Shellshock is a way to exploit a very innocent and very deliberate feature that exists within many operating systems.

Bash is commonly defined by techies, as a CLI, or a Command Line Interpreter. Again, not a bug. Bash is to Unix and Mac OS, as DOS is (or was) to Microsoft Windows. Bash is a way to run programs and issue commands to an operating system, using a text-based input, which is as close as it gets to live programming. There may be ongoing discussions on whether a bug is present in Bash, or is it simply a documentation problem, as pointed out and fiercely discussed recently, by a group of Redditors, yet any CLI must offer a level of operational complexity that can often result in unpredictable consequences, in the eyes of the average user, when an adequate level of expertise is available.

Each command can use options, or switches, that let a program run a little differently. Bash allows these commands to run live, over a network, through SSH, or Secure SHell, access. This is where the exploit takes form, and where the news wires hit the panic button for the masses to run for the hills.

Keep calm and read on:

The ability to run shell commands goes way back, and at one point, early on in our computing history, it used to be the only way to operate a computer, and connect to it over a network, way before graphical user interfaces made their appearance.

Operating systems have retained the ability to run commands over CLI for very good reasons that range from speed of execution, while not hindered by resource-heavy graphical interface overhead, to simplicity for system administrators to troubleshoot and fix systems over a network.

There will always be a way to communicate with computers via shell commands, and that is a very good thing, especially in the business world, where the ability to provide support to an entire floor of computer systems in a fast and effective way, is crucial.

Is the threat real?

It would be extremely naive to say that the threat is not real. It is very real, however conditions must be met for damage to occur. The difference between a bug and an exploit is the same as the difference between a narcoleptic security guard and a lockpick.

In the former instance, the system is compromised from the inside, for example by a weak password, or a security layer that is too open or thin.

In the latter case, the hacker uses the software’s own limitations and vulnerabilities to actively gain access to a system, for example by using social engineering to gain passwords, or by communicating with the system itself through shell commands, the way hackers did since the old days, and use the system’s own features (not bugs) against itself.

The number of occurrences involving the Shellshock exploit have been negligible, so far, mostly due to the very same conditions that must be met for the security exploit to occur.

For one thing, the exploit works only when a computer is online, but that is not enough. The IP address of the live system must be known. Most users are safe, as the majority of systems in use include laptops or mobile devices connected to WiFi hotspots, providing dynamic IPs that change routinely, and too quickly for any meaningful attempt to be successful, within a reasonable timeframe.

Aside from knowing the IP address of the target computer, advanced UNIX services must be active on the target system, the absence of which would make the exploit impossible to carry out.

In the case of stationary systems, such as a Mac Pro Server, or a Mac Mini Server, the threat becomes slightly more serious, and the recently released patch from Apple provides an additional layer of security against these types of live threats.

How likely is Shellshock to hit your Apple Mac?

Any active exploit, much like any meaningful attempt at pickpocketing or burglarizing a home, requires a certain amount of effort and commitment.

Just like the issue brought up about Touch-ID on the iPhone, criminals will only go so far, before time and resources outweigh any reasonable looting expectation. This is why the vast majority of Mac users are safe: Shellshock, compared to other more common, and more passive web-based hacking methods, is simply a big waste of time for any serious hacker to employ.

By comparison, Windows users running virtual web server software like WAMP, which is designed to broadcast web content from a personal computer, directly to the world wide web, through HTTP protocol, are far more at risk, as the requirements to run a virtual web server can lower the security of a system considerably, without proper security layers in place.

It’s important to understand that, while no system in the world is truly safe, what stops a hacker is not the strength of a security system, but rather the time, risks and labor it takes to break in. Just like a deadbolt on a front door, it’s not its job to be impenetrable, its job is to stall intruders long enough for them to either give up, or be caught.

What about the Internet of Things?

Now, THAT is a good question. Internet connected household devices, such as security cameras, baby-monitors, and smart TVs, can be hacked much more easily than laptops.

The reason, once again, is not because there are bugs to fix. More often than not, many of these devices have weak passwords, or no passwords at all, which makes access, child’s play... and yet that is conditional of the security settings in the WiFi router. Again... common sense prevails.


You must be logged in to post comments.