“What is all this news about some bash thing?”
The simplified answer is that systems which use a program called “bash” are susceptible to abuse by hackers. Bash is technically called a “shell”, which is where the nickname “Shellshock” came from. These systems include the operating systems Unix, Linux, and Macintosh. Microsoft Windows is not susceptible to the issue (unless special Unix-emulating software has been installed on the machine, but that’s a rare case). Vendors are frantically trying to release updates to remove the flaw, and patches are being rolled out as this article is typed.
What is the risk to your business? If you host Unix, Linux, or Macintosh systems locally, you should work with your IT support staff to ensure you patch your computers as quickly as possible and continue to do so as more updates are released. While patches are still being released, talk to your IT staff about the possibility of disabling the services that can be abused. Linux is embedded on many of today’s devices, and so devices such as your firewalls, routers, wireless access points, etc are also likely susceptible to the problem. It is important to note that the attack can happen through a variety of services available on these systems, and so devices such as laptops and desktops are just as at risk to attack as Internet-facing servers.
If you use third party website hosting providers, you should contact them and ask the following questions:
1) Are your servers susceptible to this attack? (If they use Unix or Linux servers, the answer almost always “yes”)
2) What are you doing to remediate the issue?
3) Have there been any signs of a system compromise?
4) Do you have my most up to date contact information in the event of an issue?
If you’re using a hosted infrastructure such as Amazon EC2, the burden is on your organization to update your servers. Companies like Amazon provide their users with the initial operating system, but patching is the customer’s responsibility.
Want to know more? Please reach out to our IT Audit and Security consulting service at 617-471-1120.