Connecting linkedin


Shellshock: What Cyber Security Experts Have to Say About Bash Bug

26/09/2014 by


In the last 48 hours news about the latest serious security vulnerability known as Shellshock has spread quickly around the world.

The bug, which affects systems running Linux and Unix software, has been around for 25 years and is found in Bash, a command line shell that gives power users the ability to easily control how software operates.

Google and Amazon are said to be working to protect their servers, Apple has admitted that Mac OS X is vulnerable and there have already been reports of the vulnerability being exploited in the wild.

To get a sense of just how serious the Shellshock bug is, and what implications it has for system administrators, as well as ordinary internet users, we've canvassed seven top cyber-security experts about to get their views:

Jamie Blasco, labs director of AlienVault, reveals that his team has discovered attackers who are already actively exploiting Shellshock:

We have been running a Honeypot since yesterday that basically emulates a system that is vulnerable. We found several machines trying to exploit the vulnerability. The majority of them are only probing to check if systems are vulnerable.

On the other hand we found two attacks that are actively exploiting the vulnerability and installing a piece of malware on the system. These pieces of malware turn the systems into bots that connect to a C&C server where the attackers can send commands. We have seen the main purpose of the bots is performing distributed denial of service attacks.

Joe Siegrist, CEO and co-founder of LastPass, urges system administrators to be proactive rather than reactive, and take action now to protect their systems:

We are seeing Shellshock being actively exploited. Those companies that are not as proactive are at huge risk and may have already been exploited. The reason this could be potentially worse than Heartbleed is that with Shellshock you can make things run on a server, and get access to anything on that server, so in that way the exploits could be worse in terms of the actions that can be taken and the data at risk, and have worse consequences than Heartbleed.

Troy Gill, senior security analyst of AppRiver, believes one of the biggest issues with Shellshock is that the systems it affects are typically those that see themselves as less vulnerable:

One major element that I believe could cause some issues is the fact that a lot of these users are part of the community that likes to believe that their systems don't get malware because of the operating systems that they use. While it's true they are less targeted, they are in no way invulnerable to attack. This could be a case in point if cybercriminals decide to make a move to quickly begin exploiting this vulnerability.

Tim Erlin, director of security and risk at Tripwire, says that in conjunction with Heartbleed, Shellshock poses a double headache for system administrators:

This vulnerability in Bash delivers a kind of double-whammy to the IT security folks responsible for patching systems. The overlap of systems vulnerable to Heartbleed will be very high, and so the systems that are already difficult to patch for Heartbleed will also be difficult to patch for this new vulnerability. It won't be long before we have a call to action for addressing this because of an actively used exploit.

Tom Cross from Lancope warns that as well as computers and web servers being vulnerable, so will be critical industrial systems controlling everything from to the electricity grid to nuclear power plants:

Shellshock is particularly concerning in the context of Industrial Control Systems and SCADA, where there may be many vulnerable devices that are difficult to upgrade. Earlier this year, a sophisticated waterhole attack targeted users of a variety of industrial control systems and industrial cameras. Those attackers now have an entirely new attack sector to explore.

Richard Cassidy, senior solutions architect at Alert Logic, attempts to pour some cold water on some of the panic that is beginning to emerge, saying that it will require a sophisticated attack in order to exploit the Bash bug:

The specific vulnerability found does require a specific set of conditions to be met. We need to look at this in context; yes it's a vulnerability and organisations should absolutely take steps to apply those patches currently being released; but to be exploited with this vulnernability we'd be looking in most instances at a very targeted attack, as opposed to an opportunistic 'script-kiddie' one.

This article has been extracted from, please click on this link to read the article in full

Montash is a multi-award winning, global technology recruitment firm. Specialising in permanent and contract positions across mid-senior appointments which cover a wide range of industry sectors and IT functions, including:

ERP, BI & Data, Information Security, IT Architecture & Strategy, Energy Technologies, Demand IT and Business Engagement, Digital and E-commerce, Infrastructure and Service Delivery, Project and Programme Delivery.

With offices based in London, Montash has completed assignments in over 30 countries and has appointed technical professionals from board level to senior and mid-management in permanent and contract roles.



Latest Blogs