Shellshock Bash bug impacts Linux, Unix and Mac systems (and hackers are already exploiting it)

A serious flaw has been found in a software component known as Bash (Bourne Again Shell), which is a part of many Linux / Unix systems as well as Apple’s Mac operating system.

The bug, dubbed Shellshock, can potentially be used to remotely take control of almost any system using Bash, researchers said. The bug, which has gone undetected in the software for at least 22 years, was just disclosed yesterday 24-Sep-2014.

According to Securelist.com … “it is an extremely powerful vulnerability due to its high impact and the ease with which it can be exploited. Basically it lies in the bash shell interpreter and allows an attacker to append system level commands to the bash environment variables, but not every system is vulnerable since certain conditions must be met. … The impact is incredibly high because there are a lot of embedded devices that use CGI scripts – for example routers, home appliances and wireless access points. They are also vulnerable and, in many cases, difficult to patch.”

Chris Griffith, Senior Technology Journalist @ The Australian writes… “The security hole poses an enormous threat to everything from computers to sewerage treatment plants, pump networks, to web servers, traffic lights, airport lights, SCADA systems and even Apple Mac computers. That’s because the hole has been found in a piece of code that’s fundamental to the running of machines across the internet, along with network infrastructure such as routers, switches, and phone exchanges. It opens the door for hackers to obtain access to computers and other systems through a web browser. From there they can infiltrate and play havoc with machines as well as the corporate computer networks they are part of. …”

According to Trend Micro … “LINUX powers over half the servers on the Internet, Android phones, and the majority of devices in the Internet of Things (IoT) so the reach of this is very broad. Also, because Bitcoin Core is controlled by BASH, this vulnerability can impact Bitcoin miners and other Bitcoin related systems, making them potentially a very attractive target to attackers.”

Shellshock rates 10 out of 10 on the scale of vulnerabilities. For perspective, Heartbleed rated an 11 but that bug required more work to exploit holes, whereas Shellshock opens the way for hackers to add and manipulate code or data into “shell” commands.

Several exploits have already been identified in the wild (read here, here and here) and some experts are concerned this bug is “clearly wormable” and may get much worse in the coming months.

But not all security experts agree this is “Heartbleed 2.0”. Brad Chacos writes in PCWorld … “Jen Ellis of security firm Rapid7 says the Shellshock bug’s outlook isn’t quite as grim, even if it is rampant. Ellis writes, ‘The conclusion we reached is that some factors are worse, but the overall picture is less dire… there are a number of factors that need to be in play for a target to be susceptible to attack. Every affected application may be exploitable through a slightly different vector or have different requirements to reach the vulnerable code. This may significantly limit how widespread attacks will be in the wild.’ …”

No one really knows for sure how bad things could get with Shellshock, but one thing everyone agrees on is system administrators and developers need to patch this Bash bug asap.

PATCH AVAILABLE

There are patches available through the links below and realize there will most likely be a series of patches going forward.

US-CERT recommends administrators and users review CVE-2014-7169 in the National Vulnerability Database as well as the Redhat Security Blog for additional details and to refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch. As of 24-Sep-2014 GNU Bash patch is also available for experienced users and administrators to implement on all current versions of Bash, from 3.0 to 4.3.

Some security researchers warn that the patches are “incomplete” and would not fully secure systems. Of particular concern to security experts is the simplicity of carrying out attacks that make use of the bug. Read more at RedHat.com

WHAT CAN I DO?

As Mashable explains… “Unlike Heartbleed, which forced users to change their passwords for various Internet services, Shellshock doesn’t appear to have any easy solutions for average users right now. In most cases, it will be up to system administrators and software companies to issue patches.”

Kaspersky Labs’ Global Research & Analysis Team has great Q&A about the “Bash” vulnerability with an easy test on how to check if your system is vulnerable on Securelist.com. There is some geek-speak throughout the Q&A but it could be helpful to some techie users and programmers.

The patching process for Apple users is described over at StackExchange,  but be warned – according to Mashable, it requires a certain level of command line-level knowledge to be applied.

For general home users worried about security, watch for updates (esp. OS X and Android users) and pay attention to updates from Internet providers and manufacturers – particularly for hardware such as broadband routers. Also be wary of emails requesting information or instructing you to click links or run software to “fix” this bug.

Unfortunately this situation is only starting to manifest and metastasize and, as Kaspersky Lab chief executive Eugene Kasperksy said, “the internet should expect a lot of exploits and hacked websites to be disclosed in coming weeks.”

MORE INFORMATION

Some helpful sites and articles with fixes, explanations about various vulnerabilities and more are…

Red Hat’s Security Blog

Red Hat’s original post about vulnerability

“Bash” (CVE-2014-6271) vulnerability – Q&A by Kaspersky Labs’ Global Research & Analysis Team

U.S. Computer Emergency Readiness Team

Everything you need to know about the Shellshock Bash bug by Troy Hunt via TroyHunt.com

What you need to know about Shellshock, aka the “Bash Bug” by Mark Nunnikhoven @ Trend Micro

Bash Vulnerability – Shell Shock – Thousands of cPanel Sites are High Risk by Daniel Cid @ Sucuri Security blog

Shellshock DHCP RCE Proof of Concept by TrustedSec.com

Major Bash Vulnerability Affects Linux, Unix, Mac OS X by Michael Mimoso @ ThreatPost

Worse than Heartbleed? by Jim Reavis @ Cloud Security Alliance

Shellshock: The ‘Bash Bug’ That Could Be Worse Than Heartbleed by Stan Schroeder @ Mashable

Why You Could Be At Risk From Shellshock, A New Security Flaw Found In Linux by James Lyne @ Forbes

Unix/Linux Bash: Critical security hole uncovered by Steven J Vaughan-Nichols @ ZDNet

Shellshock: ‘Deadly serious’ new vulnerability found by Dave Lee @ BBC

Bash bug fallout: Shell Shocked yet? You will be … when this becomes a worm by Darren Pauli @ The Register

‘Bigger than Heartbleed’ Shellshock flaw leaves OS X, Linux, more open to attack by Brad Chacos on PCWorld

Hero Dogs Of 9/11 Legacy (follow-up video by Dog Files)

Ten years after the World Trade Center attack, the working dog community comes together to honor the dog teams that worked at Ground Zero.

Thank you Dog Files for honoring these amazing USAR K-9 teams.

Also see original Hero Dogs of 9/11 video and our tribute to 9/11 Ground Zero Responders. Never forget.

 

Hero Dogs Of 9/11 (video tribute by Dog Files)

A tribute to the more than 300 search and rescue dogs that helped in the rescue effort at the World Trade Center after terrorists attacked on September 11, 2001.

Learn more about Dog Files

Also see our photo and video tribute to 9/11 Ground Zero Responders from 2013. Never forget…

Purr-fect Preparedness messages (funny cat photos from APHA)

These cute kitty cats have some purr-fect messages for National Preparedness Month and year-round. Our thanks to APHA Get Ready campaign organizers for coming up with such creative ways to encourage preparedness and participation in their annual photo contests.

See more pics on APHA’s 2012 Get Ready Cat Preparedness photo contest page (or cheezburger.com), and visit their 2014 Get Ready Tips from Tots photo gallery and 2013 Pup-Preparedness gallery for more cuteness.

Learn more about the American Public Health Association and their upcoming Sep. 16th Get Ready Day at www.APHAGetReady.org or follow them on Twitter @GetReady

Also learn more about National Preparedness Month and our Disaster book … and take action to get prepared for emergencies and life disruptions. Stay safe, j & B

Save

ABCs of School Emergency Planning (resources for schools, educators + parents)

The following appeared in FEMA and Citizen Corps’ 4-Sep-2014 Individual and Community Preparedness e-Brief:

It’s September once again and that means children across the country are heading back to school.

Do you know the emergency plan at your child’s school? What about the steps the school will take to share pertinent information with you?

As a parent, it’s important to understand what will happen after a natural disaster or emergency at your child’s school.

Here are the ABC’s of what you should know about a school’s Emergency Operations Plan (EOP):

1. Always ensure your school has up-to-date evacuation plans, emergency kits and contact sheets. Ensure your school’s nurse has your child’s medical information and medications on hand. Ask your child’s teacher to walk you through their evacuation plan and show you their emergency kits.
2. Be Prepared. Provide your school with your cell phone number, work phone number, and contact information for your relatives. If your child is old enough to carry a cell phone, make sure they know how to text you or a designated contact in case of an emergency. Also, be prepared to have a conversation with your child about emergencies and hazards.
3. Coordinate with your child’s teachers and school officials to set a plan in place if there is not one. Guide them to Ready.gov for more resources and encourage the school to perform school wide drills and exercises as part of America’s PrepareAthon!

These ABCs, tools and resources are just the tip of the iceberg when it comes to your child’s at-school safety. For more information on how to get started visit www.ready.gov/school-emergency-plans

Disaster book Special and more ideas for National Preparedness Month

In honor of National Preparedness Month, we wanted to share some Fedhealth specials and ideas in case they can help with your public education campaigns and efforts during NPM and throughout the year.

Special NPM Pricing

We are discounting our price on our 266-page IT’S A DISASTER! books to over 50% off list (or only $7.00 each) on ANY quantity purchase now through September 30, 2014. (Note, our ebook is only $5.)

Our book price price is always deeply discounted (up to 70% off list) in support of our grant and funding programs. (Price updated as of 2015)

Our disaster preparedness and first aid manuals make great gifts for employees, volunteers, family members, friends and communities, and books can be customized for free to include logos and special messages to recipients. Plus we will donate 10% to 30% of orders back to our partners and others helping spread the word. Learn more or call Fedhealth at 520.907.2153

Creative Public-Private Partnership programs

Many times agencies and volunteer groups want to purchase IT’S A DISASTER! books for local volunteers and citizens, but they don’t have any money in their limited budgets. Plus nonprofits, schools and First Responders are always looking for ways to raise money. So ~ a creative way to get local businesses involved is to sell advertisements or acknowledge sponsorship inside books (or eBooks) … and Fedhealth will print the ads and other data for FREE and throw the value in as “match” on your paperwork.

Groups can collect anything you can for ads or sponsorship … take cash, lines of credit, barter or trade (whatever you can get) … and keep it all since Fedhealth prints them for free..! It’s a whole community approach to resilience and preparedness. Learn more about our funding ideas.

School / Youth Group Fundraisers

A great way for schools and youth groups to participate in September’s National Preparedness Month is to use our preparedness book as a fundraiser (and collaborate with local Chambers, Rotarys and others to get discounts and freebies for the public) and earn profits while educating local communities! Learn more

Use up those leftover federal grant dollars

Many Federal grants close out September 30th so if your agency or nonprofit has dollars that need to be spent before a certain deadline, please consider using customizable IT’S A DISASTER! books to commit those funds. Our book qualifies as community education on grants providing almost a $4-to-$1 return on match. Learn more or call Fedhealth at 1-888-999-4325.

Read about some more creative ideas and activities for National Preparedness Month and please share these resources with others.

Stay safe all, j & B

Source: Fedhealth Aug 2014 enews

Some examples of National Preparedness Month activities and projects

September is National Preparedness Month (NPM or #NatlPrep) and we – along with a coalition of thousands of private, public and nonprofit organizations – are encouraging businesses, groups, schools and families to take time to help your community get better prepared for disasters and emergencies of all kinds.

Below are some creative projects and ideas that other organizations are doing (or have done) in case these could benefit your preparedness campaigns.

A key goal is to come up with fun and educational ways to get kids and adults involved..!

Some examples of NPM activities

During National Preparedness Month FEMA and Ready organizers are asking Americans to take action by planning a National PrepareAthon! Day on or around September 30th. America’s PrepareAthon! encourages millions of people to focus on simple, specific activities like hazard-specific drills, group discussions, and exercises that will increase preparedness.

Join the America’s PrepareAthon! campaign and register to participate in the September 30 national day of action. Once you register you have access to guides, social media tools, and customizable materials you can use during drills or exercises on 9/30 and year-round. The key is turning knowing into doing!

This is the 5th year of the 30 Days, 30 Ways Preparedness Challenge, in honor of National Preparedness Month. This game has grown exponentially over 4 years with over 10,000 preparedness tasks being completed. In the past, CRESA have relied on community donated prizes which have come in all shapes & sizes. This year, organizers want to reward players with $10-25 Amazon Gift Cards which are easier to share across the globe and don’t require shipping costs to their agency.

Help sponsor #30days30Ways and learn more about the Preparedness Challenge at www.30days30ways.com or follow them on Twitter@30Days_30Ways or Facebook

Entries are no longer being accepted for the APHA’s Get Ready Tips from Tots Photo contest but they will be announcing the winners in September, so stay tuned for some baby cuteness. Winners will be featured in a Get Ready calendar. Visit APHA’s baby photo gallery

And if you missed their past few contests, check out  APHA’s Get Ready Cat Preparedness Photo Contest  and Pup-Preparedness Photo Contest.

Learn more about APHA at www.getreadyforflu.org or follow them on Twitter@GetReady

The Emergency Kit Cook-Off challenges you to find creative use for the three day’s worth of food and potable water that you squirreled away for the family in case of an emergency. The Emergency Kit Cook-Off offers the public two ways to participate—1) vote on ingredients and 2) submit a recipe.

Learn more and join the fun at www.emergencykitcookoff.org or follow them on Twitter at @KitCookOff  or on Facebook

Another way to support your community is to join a local Citizen Corps , CERT or Medical Reserve Corps … or call your city or county Emergency Management, Fire, Police, Health or Sheriff Department and ask about volunteer opportunities. Or talk to your local Salvation Army or Red Cross office … and get involved!

Learn more about National Preparedness Month at www.ready.gov/september and encourage your families, friends, co-workers and communities to take action to prepare!

Source: Fedhealth Aug 2014 enews