Cyber loophole alert: Warning as computer security flaw puts millions at risk of exposure to criminals
- Hackers have started using the Bash bug on vulnerable systems
- One security expert said it could be 'game over' for large networks
- Another said it could create a 'meltdown' similar to one caused in 2003
- Bug poses a threat to devices using Unix-based operating systems
- It includes Linux used in many devices such as cars and cameras
- It can also affect Android, Windows, IBM and Apple Mac OS X machines
- Bug, also called 'Shellshock', may let hackers take control of devices
- Solution is to update every vulnerable device with a software patch
- Some patches have already been released, but are still 'incomplete'
Government databases, home computers and global websites are at risk from a security flaw found in hundreds of millions of devices.
Cyber security experts were last night racing to close the loophole before it could be exploited by hackers.
Called Shellshock, it could allow criminal gangs to take control of computers, smartphones and tablets. It means credit card details, passwords and sensitive data are at risk of being stolen.
Errata security researcher Robert Graham tweeted (pictured) an example of how the bug can be exploited, and how code can be added, to websites on Macs running OSX. He warned that Bash is 'probably a bigger deal than Heartbleed' because it could threaten the security of millions of websites
The government cyber security team GovCert UK warned all Whitehall departments to take the problem seriously. In an alert to civil servants, the agency warned that Shellshock carries ‘the highest possible threat ratings’.
The Information Commissioner’s Office warned businesses to act to update their systems, adding that those who failed to get to grips with it could be sued if hackers managed to breach their security.
The US National Cyber Security Division gave the flaw – which is also called ‘bash bug’ – a score of ten out of ten for seriousness and severity.
Shellshock is a weakness for all Apple Mac computers and those running the Linux operating system. It does not affect Microsoft Windows computers directly, but experts fear that hackers may be able to get into any computer via internet wifi routers which connect them to the web.
The flaw has existed in computer systems for at least 25 years – but it was only discovered for the first time at lunchtime on Wednesday.
Since then criminals have almost certainly been rushing to work out how to exploit it.
The flaw would allow a hacker to remotely take control of the commands that tell a computer what functions to carry out. They could access an individual’s computer first by hacking into a server that hosts a website.
Then when someone accesses the infected site, the bug would give the hacker access to all their documents, credit card details and passwords.
All Apple's Mac OS X are also affected as well as around half of all websites, security experts claim
Last night major software firms had produced programmes to close down the loophole – but computers will be at risk until they have been individually updated with the new software.
Advice on how to protect your computer can be found on government website, getsafeonline.org.
Apple last night insisted most of those using its systems are safe ‘by default’. The company said in a statement: ‘The vast majority of OS X users are not at risk to recently reported bash vulnerabilities.
‘With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services [an advanced operating system] .
‘We are working to quickly provide a software update for our advanced UNIX users.’
A Cabinet Office spokesman said: ‘The Government’s internal computer emergency response team – GovCertUK – issued an alert to IT security teams in all government departments on Thursday with advice on mitigation and urging rapid action.
‘All departments are being contacted to offer any further advice or assistance needed.’
Expert Richard Stiennon wrote that the code could quickly create a 'SQL Slammer type internet meltdown.'
This was a specific kind of attack that targeted the web's infastructure and caused it slow significantly in 2003.
Hackers are already using massive internet scans to find vulnerable servers to attack, according to Robert Graham of Errata Security, writing In a blog post yesterday.
In a test, Mr Graham ran a IP scan and found 3,000 vulnerable systems before the scan crashed.
Just a few hours later, Mr Graham found that someone was already using his method to attack computers.
'Someone is using mass scan to deliver malware,' Mr Graham wrote in an update. 'They'll likely have compromised most of the systems I've found by tomorrow morning.'
The attack has become known as 'Thanks, Rob' worm, and show the dangers of how short-term attacks could happen before devices are updated with a patch.
'One key question is whether Mac OS X and iPhone DHCP service is vulnerable, he said.
'Once the worm gets behind a firewall and runs a hostile DHCP server, that would be "game over" for large networks.'
Many experts claim the flaw could be 'bigger than Heartbleed', a flaw in Open SSL encryption that put every computer user at risk earlier this year.
'The impact is very severe, it's not overstating it to say it's a more serious bug than Heartbleed,' Professor Tim Watson, Director of the Cyber at Warwick University told MailOnline.
'The primary way this is going to be exploited is through the web… a hacker can use the bug to put malicious things on the website or to steal information, like banking details.'
Many Linux providers, including Red Hat, have already prepared patches, but Apple users were left waiting for an update for OS X. Apple representatives could not be reached.
Tavis Ormandy, a Google security researcher, said via Twitter that the patches seemed 'incomplete.'
Bash stands for Bourne Again Shell. It is what's called a command-line shell that lets users control software programs and features. Commands are sent to these programs by typing text into a particular area of code. This code is typically restricted to programmers, but the Bash bug leaves it open to attack from anyone
'There is a lot of speculation out there as to what is vulnerable, but we just don't have the answers,' said Marc Maiffret, chief technology officer of cybersecurity firm BeyondTrust. 'This is going to unfold over the coming weeks and months.'
Russian security software maker Kaspersky Lab reported that a computer worm has begun infecting computers by exploiting the Bash bug.
The malicious software can take control of an infected machine, launch denial-of-service attacks on websites to disrupt their operations and scan for other vulnerable devices, including routers, said Kaspersky researcher David Jacoby.
He said he did not know who was behind the attacks and could not name any victims.
'The primary way this is going to be exploited is through the web… a hacker can use the bug to put malicious things on the website or to steal information, like banking details.'
The Heartbleed flaw in Open SSL encryption affected millions of sites earlier this year. By comparison, Heartbleed only allowed hackers to spy on computers; not take control of them
The bug, could potentially allow hackers to gain access to every internet-enabled device in a person's home using something as innocuous as a smart lightbulb.
The danger with this, in particular, is that once it has access to an internet-connected device it can jump onto others, in theory. This includes smart locks that open front doors.
Errata security researcher Robert Graham tweeted an example of how the bug can be exploited, and how code can be added, to websites on Macs running OSX.
By comparison, 'Heartbleed' - dubbed a 'critical security flaw' at the time - only allowed hackers to spy on computers, not take control of them.
Bash does not require users to rush change their passwords, but it does provide another way for hackers to take control of computers and devices.
'The method of exploiting this issue is also far simpler. You can just cut and paste a line of code and get good results,' according to Dan Guido, chief executive of cybersecurity firm Trail of Bits.
Its potential to disrupt Apple Mac computers, which uses the Bash software, is of particular concern, experts warned.The bug could allow hackers to gain access to every internet-enabled device in a person's home.The danger with this is that once it has access to a internet-connected device it can jump onto others in the home, in theory. This includes smart locks, such as the August lock (pictured), that open front doors remotely
The only solution is to update every device that is vulnerable with a patch. And this can only be done by website and server owners, and by individuals on their home computers.
Professor Watson has dismissed Apple’s confidence that their operators are 'safe by default'.
‘Apple say their computers are secure but that is optimistic to say the least. It could affect any version of a Mac and potentially phones and tablets too.’
A spokesperson for the Information Commissioner's Office said businesses have legal obligations to keep personal information secure.
'The worst thing would be to think this issue sounds too complicated – businesses need to be aware of this flaw and need to be monitoring what they can do to address it,' he said.
'Ignoring the problem could leave them open to a serious data breach and ultimately, enforcement action.'
'Heartbleed,' discovered in April, was a bug in an open-source encryption software called OpenSSL.
The bug put the data of millions of people at risk as OpenSSL is used in about two-thirds of all websites.
It also forced dozens of technology companies to issue security patches for hundreds of products that use OpenSSL.
Bash is a shell, or command prompt software, produced by the non-profit Free Software Foundation. Officials at that group could not be reached for comment.
No comments:
Post a Comment