Apple : ‘Shellshock’ internet bug has potential to wreak havoc

Local technology experts have warned a new computer virus called “Shellshock”, which allows someone else control over your electronics without any permission, is doing the rounds.

The virus is said to be threatening the internet’s backbone.

Which machines are vulnerable?

The vulnerabilities affect machines running Linux, BSD, and Unix distributions, including Mac OS X. Apple said in a statement to AFP on Friday that OS X is safe by default unless users have configured advanced Unix services. The company said it’s working on a patch for those users.

Bash is not native to Windows, but Cygwin, a Windows version of Bash, is vulnerable. Beyond that, Shellshock has the potential to affect anyone visiting a website hosted on a vulnerable server — if the server has been compromised via Shellshock, it could deliver other malware.

How many machines are vulnerable?

It’s difficult to say. About 10% of personal computers run Linux or OS X. But then there are servers and Internet-connected devices to consider. Many security experts are comparing Shellshock to the Heartbleed vulnerability discovered in April. Heartbleed affected an estimated 500 million computers; the BBC suggests Shellshock could affect just as many, without providing details about how it arrived at that figure.

So what can you do to protect yourself against this frightening new bug, and how can you avoid Shellshock? Well, the answer is basically the same as it’s always been. There’s no special tool or patch that’ll keep you protected from Shellshock. It’s just pure, common-sense cyber security.

1. Keep Windows, OS X and Linux up to date

Unlike a lot of malware out there, the new Shellshock breed is capable only of infecting Apple computers running OS X and any machine running Linux — basically any operating system based on UNIX. As such, it’s important to keep your operating system up to date to ensure that it has the latest security patches and vulnerabilities aren’t left undetected. While it’s not clear whether Shellshock affects Windows machines, it’s always best to keep everything up to date anyway.

While there aren’t any specific updates dealing with Shellshock right now, all the major companies will be scrambling to fix the opening, and updates should be coming soon.

2. Patch Bash and backup your data

To mitigate the risks involved, Toyin Adelakun of Sestus advised: “the urgent advice is to immediately patch or update the bash software. That applies both to servers as well as clients (i.e. individuals’ systems) such as Apple MacBooks and Mac Pro desktop computers. Because they affect both client and server computers, and because they could lead to data leakage directly from computers, these risks do indeed potentially surpass those of the Heartbleed bug”.

Internet users should also ensure that all sensitive data is backed up, and make sure that no data that could compromise their company or any other organization is stored on their personal computers.

“People should not only protect their computers, but also ensure that they back up their data regularly,” said security expert David Emm of Kaspersky.

3. Perform proper security maintenance

GetSafeOnline.org has published a list of downloads it recommends to keep yourself protected.

Unfortunately, the massive demand for the service is causing the website to crash, and it’s been offline for about 24 hours now. Not very helpful, we know — but hopefully it’ll be up and running soon enough.

4. Use a password manager

Phishing gets a lot easier once the attacker has access to your personal data. Using long, complex passwords, and different passwords for each site you access will maximize your security on this front if you’re not feeling up to that, why not get a password manager?

We’ve written up a rundown of all the best password managers available, so go check that out.

5. Don’t open suspicious links

How many times do we have to tell you? Don’t open them! If you don’t know where an email came from, don’t open it. If you weren’t expecting an email from a colleague, don’t open it. If the message in the text is generic and could have come from anyone, don’t open it.

Don’t rely on hovering over the link to see the URL, either — hackers are becoming more and more sophisticated at spoofing legitimates URLs in order to infect you with malware. This is the single most common vector of attack, so protect yourself from fake emails, and you’ll be laughing.

6. Stay informed!

Make sure you stay abreast of developments. We’ll be following the story as it develops.

Final advice

The message is always the same — make sure your antivirus software, and firewall, and everything else designed to protect you is up to date.

If you’re a business, audit your ENTIRE IT estate regularly so you understand your exposure and can make prudent decisions based on accurate data. Patch wherever and whenever possible to remove threats. Minimize exposure but limiting access to data where patches cannot be applied — and then pressurize dependent software providers to upgrade their applications.

Agencies/Canadajournal