Shellshock: What You Need To Know About The Latest Round Of Cyber Security Threats
If you’re trying to navigate the news concerning Shellshock, you can be forgiven for thinking the coverage is written in another language. The official name for the exploit, CVE-2014-6271, sounds like it should come from a “Star Trek” character. It’s not easy to explain and it’s even harder to figure out what to do about it. Let’s first see what the exploit is and then see what you need to do to keep yourself safe.
Shellshock is an exploitable security gap in Bash, one of the most popular operating environments for Internet backbone computers. Bash support is rare for home computers and is disabled by default on OSX and Windows devices. It’s extremely common, though, on email and website hosting servers, which usually run Linux-based operating systems. Shellshock allows hackers to operate servers remotely, installing and operating software, accessing data and executing operations.
It might seem like Shellshock is a problem for other people, but it’s a serious security concern for everyone. From hotels to credit card companies, Bash-operated computers are everywhere in e-commerce, and unless they’re using a patch that was released on Sept. 29, they’re vulnerable to remote manipulation. This could put sensitive data at risk. More seriously, hackers can use remote servers to distribute malware and engage in further acts of cyber crime.
How many computers were affected by the bug? It’s difficult to say. The flaw was discovered on Sept. 26 and exists on devices other than computers. Automated engineering equipment, database maintenance computers and even facilities management machines run variants of Linux that rely on Bash. Many of these devices were set up with the expectation they would never need software maintenance, so getting an accurate count of devices is impossible. Early estimates by security experts at HP suggest that the loophole could affect a half-billion computers in America.
Worse yet, the exploit has been embedded in the system for as much as 22 years. Linux archivists charged with tracing the flaw claim that the bug may have been allowing limited access to online machines since 1992. This means the scope of the problem could be far greater than Heartbleed.
We at American United update our systems regularly and your data security is the highest priority. Our systems were updated immediately upon announcement of the threat’s discovery and we will always keep our members informed of any threats to their privacy. There are steps you can take to protect your privacy online, as well.
1. Do not install any software that claims to fix this patch unless it comes from the manufacturer of your operating system. There are two ways cybersecurity problems cause damage: first, the damage of the actual attack, and second, the collateral damage from the panic and insecurity in the wake of the crisis. Many opportunistic criminals will use the confusion surrounding the bug to distribute malware and other harmful programs. Unless you have specifically enabled Bash on your PC, Mac, or mobile device, you do not need to install any new programs to stop the bug.
2. Change your passwords. One of the common commands hackers run with Shellshock is to download a list of passwords and account names. If you’ve used a password somewhere, assume that password is no longer secure. Choose a new, strong password. If you’re struggling, try using the four random words strategy pioneered by cryptologist Randall Munroe. Put four random words together, capitalize the first letter of each word, and put a number and a piece of punctuation on the end – like FootballAnarchyMondayCamden4! – to create an easy-to-remember but hard-to-guess password.
3. Keep a careful eye on your account and card statements. Watch for small, recurring charges. For many hackers, the easiest way to make a living is to steal a dollar a month from a thousand people. The odds of getting caught are lower than trying to steal a thousand dollars from one person and the profits are the same. If you see suspicious activity, call your issuing institution immediately to put a hold order on the account.
4. Avoid storing your credit card information with online retailers. Not only can this expose you to identity theft, but it can also make it easier to impulse spend. Shellshock is not the last security bug we will see. It is smartest to begin expecting this level of insecurity and keeping your personal information in as few places online as possible.