Discussion:
"Shellshock" (based on bash) -- are we now entering CyberWorldWar=III ?
(too old to reply)
Thad Floryan
2014-09-26 00:33:39 UTC
Permalink
The bad news just isn't stopping. Just found this on Reuters a few
minutes ago:

Hackers exploit 'Shellshock' bug with worms in early attacks
By Jim Finkle, Boston, Thu Sep 25, 2014 6:34pm EDT

http://www.reuters.com/article/2014/09/25/us-cybersecurity-shellshock-idUSKCN0HK23Y20140925

(Reuters) - Hackers have begun exploiting the newly identified
"Shellshock" computer bug, using fast-moving worm viruses to scan for
vulnerable systems and then infect them, researchers warned on Thursday.

"Shellshock" is the first major Internet threat to emerge since the
discovery in April of "Heartbleed," which affected OpenSSL encryption
software that is used in about two-thirds of all web servers, along with
hundreds of technology products for consumers and businesses.

The latest bug has been compared to "Heartbleed" partly because the
software at the heart of the "Shellshock" bug, known as Bash, is also
widely used in web servers and other types of computer equipment.

The problem is unlikely to affect as many systems as Heartbleed because
not all computers running Bash can be exploited, according to security
experts. Still, they said "Shellshock" has the potential to wreak more
havoc because it enables hackers to gain complete control of an infected
machine, which could allow hackers to destroy data, shut down networks
or launch attacks on websites, experts said.

The "Heartbleed" bug only allowed them to steal data.

The industry is rushing to determine which systems can be remotely
compromised by hackers, but there are currently no estimates on the
number of vulnerable systems.
[...]

{ article continues at above URL }

Thad
Thad Floryan
2014-09-26 00:53:39 UTC
Permalink
Post by Thad Floryan
The bad news just isn't stopping. Just found this on Reuters a few
Hackers exploit 'Shellshock' bug with worms in early attacks
By Jim Finkle, Boston, Thu Sep 25, 2014 6:34pm EDT
http://www.reuters.com/article/2014/09/25/us-cybersecurity-shellshock-idUSKCN0HK23Y20140925
[...]
"Somewhere" in the past 24 hours I've seen a comment speculating
this exploit is something about which the NSA has known for years
and was holding it back to use as *THE* offensive attack of last
resort.

Given all the info about the NSA's operations as revealed in the
Snowden [and other (at least 1)] documents, I wouldn't be very
surprised learning that speculation is the actual truth.

Thad
Keith Keller
2014-09-26 03:17:27 UTC
Permalink
Post by Thad Floryan
"Somewhere" in the past 24 hours I've seen a comment speculating
this exploit is something about which the NSA has known for years
and was holding it back to use as *THE* offensive attack of last
resort.
I read somewhere else that this bug has been around since bash 1.14, for
20 years. Twenty years! That just seems totally nuts.

--keith
--
kkeller-***@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
Loading...