Part of the reason I took the website down was my fear that the United States and European union directly confronting Russia was going to result in massive cyber warfare breaking out onto the Internet. Running the server from my home was increasingly risky and stupid.
We have arrived at that point – I have written previously about the danger that everyone has accepted the idea of using “free” software being written and maintained by unknown individuals with unknown motives. The Heartbleed vulnerability was just a trailer for coming attractions. Unless you were the NSA and have the ability to directly monitor Internet traffic, it’s usefulness was relatively limited and only a small portion of computers had installed the defect.
I can’t begin to tell you how much more dangerous the shellshock flaw is. It is about as fundamental hole in Linux as there can be (and anything based on Linux like apple’s OSX on the Mac). While heartbleed actually affected only a small percentage of computers, shellshock affects every one of these computer ever made, including those that will be very hard to update like your internet connected light bulbs.
My servers had the patch applied last night because I pay close attention to these kinds of things – but even with the patch, it is clear The vulnerability is not completely gone and security analysts and programmers are not even certain of all the ways that the hole can be exploited.
If you are one of the people sitting on the fence thinking that backing up your important information off-line is paranoid, your time for action has come. Don’t put it off. If you are acting as a helper, you might want to take a vacation for a few weeks unless you are using a device which has no valuable information on it.
For those of you who are curious about the technical details, The flaw was reported by somebody that works for Akamai, A huge content distribution outfit used by many of the most important commercial websites in the world. They were also pioneers in figuring out ways to sidestep distributed denial of service attacks intended to blackmail banks into paying money to stop cyber attacks from knocking their web sites offline.
I doubt the person at Akamai was just sitting around with nothing to do, and was playing around looking for holes. My suspicion is they were successfully attacked, and did forensic research to figure out how their computer was compromised – and when they saw the details, they likely soiled their underwear.
Linux computers process commands through a piece of software called bash, which stands for the Bourne shell. While there are several alternatives, the vast majority Of Linux computers use bash – and even those who don’t probably have it on their computers. The flaw is extremely simple – by setting what is called an environment variable, The attacker can make the computer execute any command they want without any authentication to break into the system. All it takes is sending a very simple message to the Apache Web server, and the hacker has taken over your server.
While those commands operate only with the power of the Web server (user/group Apache), that’s enough over a hole that hackers could then start downloading and installing other things onto the computer and turn the server into Swiss cheese. This is already happening in the real world.
The data and coding for the streaming radio guide is backed up offline, but I really can’t guarantee that the server or the Internet as a whole will not fail in the near future. Even if the Russians and Chinese were not behind this, they are certainly paying attention to the power of exploiting flaws in “free” software and studying how the security professionals are reacting to the problem.