Well it did not take long for the Internet, and the world, to be introduced to a new threat. On the heels of the Heartbleed bug comes a new vulnerability, which may turn out to be far worse. The vulnerability, discovered in September of 2014, has ramifications across the entire Internet and cloud community. The gravity of the exploit, as reported by the U.S Department of Homeland Security, outlined a major flaw affecting the “Bash” command; present in most Unix-based operating systems. The exploit could allow a remote attacker to execute arbitrary code. To put that in layman’s terms, it allows cybercriminals to attack networks, devices and various servers across the planet.
So why is this “bug” so feared, more than others in the past? The Heartbleed vulnerability received worldwide attention back in April of 2014. It showed the world some serious flaws in, what were supposed to be, encrypted and secure communications (OpenSSL). Heartbleed allowed hackers to get access the very encryption keys and passwords of secure networks, from systems compromised by the flaw. Unfortunately the flaw dealt a serious blow to open-source, more specifically OpenSSL; as it showed us that the resources needed, to manage security issues, were definitely. Granted many companies, realizing the importance of open-source, have helped to shore up those deficiencies.
Shellshock, on the other hand, seems to be a larger and more serious threat to the very core of many networks, devices and servers. Shellshock is found in Bash, a powerful and flexible tool for both administrators and programmers alike; found in Linux-based operating systems, along with OS X. In addition, many “Internet of Things” devices use Linux code to operate their devices. Even routers and other Internet-ready (or cloud-based) devices utilize the tool. Patches are available and security organizations are recommending that fixes get applied quickly. Unfortunately, with Bash being such a widely used tool, many systems will remain un-patched for a long time.
Unix-like and Linux systems were generally thought of as simple, straight-forward, secure and free; which allowed companies and programmers alike to quickly create a product or implement their solution. There are devices, in the line of “The Internet of Things”, which no one will be checking. Unix-code is found in appliances, electronics in cars and many other devices. Companies, developers and all stakeholders will need to take time and think about how these issues will affect our interconnected world. We cannot simply create without thinking about the long-term implications of our decisions; innovation, and IoT technology, cannot operate in a vacuum without understanding the consequences.