Shellshock as Bad as Heartbleed Bug

My current generation iMac with the latest OSX 10.9.5 shows the Shellshock bug
My current generation iMac with the latest OSX 10.9.5 shows the Shellshock bug

Just when you thought computer security couldn’t get any worse, it did. Much worse.

Remember the Heartbleed bug a few months ago? This new “Shellshock” bug is at least as widespread and, in many ways, even worse.

Web servers are responsible for presenting the information you see and read when browsing the Internet. Your web browser (Chrome, Firefox, Internet Explorer, Safari, etc.) is responsible for displaying the information retrieved from a web server.

The majority of web servers on the Internet run a variant of the UNIX operating system, including Linux. According to W3Techs Web Technology Surveys, 66.9% of all web servers are running a UNIX operating system variant, which includes the Apple OSX operating system,

This Shellshock vulnerability is specific to what is called the bash shell on these UNIX systems. Think of the bash shell as a command line interface for doing things without a mouse and graphics.

That alone is bad enough, but what makes this so particularly troubling is the Apache HTTP (web) server is what is used on these systems for serving up your cat videos and memes and it uses the bash shell for processing certain commands.

That means that nearly 2/3 of all web servers are vulnerable to a hacker maliciously embedding code or taking over a web server. With that, the malicious hacker could load a virus, worm, or trojan on YOUR computer when you visit an affected website.

Uh-oh.

Let me make this worse for you. Not only could bad guys exploit this to infect you, they could exploit this to take over corporate networks, and possibly even your smartphone. That’s right your smartphone.

Suddenly the Target and Home Depot hacks appear to be small-time operations.

And like the Target and Home Depot hacks, you are almost helpless. If you are a network or web administrator, immediately patch all of your systems. Right now.

If you aren’t a tech administrator, follow all of my basic rules on how to protect yourself from my article HERE

And if you want a little more detail reading on the Shellshock bug, take a look at U.S. Department of Homeland Security National Cyber Awareness System report HERE

Heartbleed Bug Demonstrates Deep Vulnerabilities of the Web

shutterstock_68921602 Heartbleed Bug

If you haven’t yet heard, a massive vulnerability in a key piece of security software was announced this week. Researchers call it the Heartbleed bug.

Simply put, it is not your fault. Web servers at banks, airlines, and shopping sites use a type of encryption called Secure Sockets Layer or SSL. Your browser will display a lock icon in the address bar and maybe even change colors to green demonstrating you have a secure connection. Many websites use a piece of Open Source software, meaning nobody owns it and everyone can see the code, called OpenSSL.

OpenSSL is where the vulnerability was found. The problem is that 2/3 of all internet sites using SSL to secure the communication between your browser and their server use OpenSSL.

Why is that a problem? This bug means hackers can intercept what is supposed to be encrypted information between your browser and the bank’s server. In other words, what is supposed to be unreadable is readily readable to criminals.

And it gets worse.

In the past 24 hours or so word has leaked out that the core equipment used for the internet itself and most corporate networks has this bug too.  According to Network World, Cisco and Juniper routers are affected.

This is where it gets really ugly.

Fixing the OpenSSL bug on a website is relatively easy and the majority of websites have already put in the patches. Tracking down every router, taking it offline, and installing patches from the vendors is a very time consuming and difficult process that might take months.

Initially I wasn’t too concerned about you and me. This latest round of news truly has me worried and you need to take action now.

I am now suggesting to you and everyone you know that you take the time to change your password on every bank, shopping, travel, etc. website where you transact business with username/password and/or credit card information.

And then do it again in a week and then again in a month.

Too difficult to remember all of your passwords? There are tools to help you besides sticky notes on the side of your monitor.

Protect your passwords using software like Password Safe1Password, or pwSafe. Those applications are a securely encrypted safe in which to store all of your passwords. Use the random password generator in the software for creating your passwords.

When you use software like those three, use an entire password phrase as the master password. Something you can remember like the old “The quick brown fox jumps over the lazy dog”, but make sure to use spaces and capital letters, even use the quotation marks if you’d like.

Here are some basic rules:
•        Always use a password, never let a password be blank
•        Always change a password immediately after receiving one that was given to you
•        Use as many characters as possible when creating a password, don’t just use eight use 16 or 20 or more
•        Use different passwords everywhere, at least for sensitive information like banks or anywhere they might store your credit card information

UPDATE 4/12/14 11:30 PDT – McAfee has a handy tool for testing websites for the Heartbleed vulnerability. You can use it to test a site you might visit BEFORE you go to the website. Click HERE for McAfee’s tool