White hat claims Yahoo and WinZip hacked by “shellshock
White hat claims Yahoo and WinZip hacked by “shellshock
White hat claims Yahoo and WinZip hacked by “shellshock
-
prehistoric
- Posts: 1744
- Joined: Tue 23 Oct 2007, 17:34
Opinion: this is the more immediate threat for Puppy users, that some service they rely on out on the Internet will be compromised, not that anyone will attack their personal system.
Of course, if you leave your system unpatched long enough, then eventually someone will get around to exploiting the vulnerability. However, right now the threat comes from processes that don't even run on your machine. When you set up a secure socket connection with a remote server handling some sensitive transaction you can be fairly confident the encryption will prevent attacks on data in transit. What no encryption scheme can prevent is exploitation of a server at the end of the pipeline which has already been compromised, but not yet recognized as such.
While current operation of SSH uses public key cryptography to protect users without having all keys issued by a central authority, this still depends on a trusted authority which keeps track of the correspondence between public keys and named entities using them. We have all by now been exposed to the problem of people on the Internet not always being who they claim to be. Many have also discovered that data they thought kept secret by a well-known business had ended up in the hands of the last people they would trust. This phase of the problem is still very active, though so far, the results have not been dramatic. It appears the blackhats were also taken by surprise.
In addition to the serious problem of communicating with a server at the other end of the pipeline which is itself compromised we have another nasty possibility getting less attention at the moment. You tend to trust your ISP to perform some basic operations required to set up secure communication. If servers there are compromised it is quite possible you will fall victim to a "man in the middle" attack. Your secure socket to an uncompromised site may actually be connecting you to someone else who filters and alters your communication, then passes it along using another secure socket. There are more details to sort out to exploit this, but that is the basic idea. My recent experience with a local ISP indicates they are not exactly swift at resolving problems, even when these are not the result of hostile action. They are barely maintaining normal operations at the best of times.
The "long tail" of the vulnerability will come when Internet appliances with firmware seldom -- if ever -- updated, are used to break into poorly policed small networks. (Here's an example of one used to manage multiple systems on a business network. That vendor at least recognizes the need for a hotfix.) I can't tell you how many appliances have a cute web interface put together with shell scripts using bash. A major supplier like Cisco, whose main business is connected with routers, will probably do a good job of issuing updates for existing equipment, (which individual users of equipment may or may not apply). Smaller firms, for whom reputation for web security is less important are likely to abandon customers who bought older devices. Here's a recent article about the effect on "the Internet of Things".
Added: I've already gone a round with one person convinced they were not vulnerable because they "never pass strings from untrusted sources to run system commands without validating these". They were slow to catch on that having bash unintentionally reparse variable strings altered by users could allow a syntax error to execute new commands. False belief that you are not vulnerable will be a continuing problem.
Of course, if you leave your system unpatched long enough, then eventually someone will get around to exploiting the vulnerability. However, right now the threat comes from processes that don't even run on your machine. When you set up a secure socket connection with a remote server handling some sensitive transaction you can be fairly confident the encryption will prevent attacks on data in transit. What no encryption scheme can prevent is exploitation of a server at the end of the pipeline which has already been compromised, but not yet recognized as such.
While current operation of SSH uses public key cryptography to protect users without having all keys issued by a central authority, this still depends on a trusted authority which keeps track of the correspondence between public keys and named entities using them. We have all by now been exposed to the problem of people on the Internet not always being who they claim to be. Many have also discovered that data they thought kept secret by a well-known business had ended up in the hands of the last people they would trust. This phase of the problem is still very active, though so far, the results have not been dramatic. It appears the blackhats were also taken by surprise.
In addition to the serious problem of communicating with a server at the other end of the pipeline which is itself compromised we have another nasty possibility getting less attention at the moment. You tend to trust your ISP to perform some basic operations required to set up secure communication. If servers there are compromised it is quite possible you will fall victim to a "man in the middle" attack. Your secure socket to an uncompromised site may actually be connecting you to someone else who filters and alters your communication, then passes it along using another secure socket. There are more details to sort out to exploit this, but that is the basic idea. My recent experience with a local ISP indicates they are not exactly swift at resolving problems, even when these are not the result of hostile action. They are barely maintaining normal operations at the best of times.
The "long tail" of the vulnerability will come when Internet appliances with firmware seldom -- if ever -- updated, are used to break into poorly policed small networks. (Here's an example of one used to manage multiple systems on a business network. That vendor at least recognizes the need for a hotfix.) I can't tell you how many appliances have a cute web interface put together with shell scripts using bash. A major supplier like Cisco, whose main business is connected with routers, will probably do a good job of issuing updates for existing equipment, (which individual users of equipment may or may not apply). Smaller firms, for whom reputation for web security is less important are likely to abandon customers who bought older devices. Here's a recent article about the effect on "the Internet of Things".
Added: I've already gone a round with one person convinced they were not vulnerable because they "never pass strings from untrusted sources to run system commands without validating these". They were slow to catch on that having bash unintentionally reparse variable strings altered by users could allow a syntax error to execute new commands. False belief that you are not vulnerable will be a continuing problem.
GRC is also reporting on cert-spoofing at major websites such as yahoo.
Details at https://www.grc.com/fingerprints.htm
Details at https://www.grc.com/fingerprints.htm
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
"Zuckerberg: a large city inhabited by mentally challenged people."