Last Wednesday, the technology world was introduced to the latest in a series of catastrophic Internet security vulnerabilities, known simply as “Shellshock.” Months after discovery of the Heartbleed bug, which exploited a hole in OpenSSL protocols to target users’ passwords and was described as “the worst vulnerability found since commercial traffic began to flow on the Internet,” Shellshock appears to be built into the Internet’s very foundations and may therefore represent an even greater threat.
Shellshock results from an unresolved vulnerability in the Linux and Mac tool, “Bash,” a command line interpreter used to connect computer programs -- for instance software used to run web servers -- to an underlying operating system. According to a September 25 article in Wired, Shellshock works by:
"[making] it possible for hackers to trick Web servers into running any commands that follow a carefully crafted series of characters in an HTTP request. The shellshock attacks are being used to infect thousands of machines with malware designed to make them part of a botnet of computers that obey hackers’ commands. And in at least one case the hijacked machines are already launching distributed denial of service attacks that flood victims with junk traffic, according to security researchers."
The danger is that virtually all devices that use open source operating systems are at risk. What’s even worse is that Bash has been in use for more than two decades without anyone spotting or fixing the bug, as one would expect in an open source environment. This raises the possibility that even more seemingly foundational computer programs may have fatal flaws.
So what can federal agencies do to combat Shellshock? In the short-term, US-CERT recommends that users and administrators contact their vendors and install all relevant software patches. But according to TrendMicro Chief Cybersecurity Officer Tom Kellerman, by the time researchers develop a complete fix for Shellshock, hackers will have had more than enough time to install root kits and malware on affected systems.
Shellshock and the vulnerabilities it creates underscore the need for federal agencies to upgrade to a cybersecurity posture based on continuous diagnostics and mitigation (CDM), or, continuous monitoring. CDM works by deploying automated sensors to scan networks and devices on a continual basis in hopes of replacing the slow and labor-intensive FISMA risk management framework. Once in place, CDM can rapidly identify and quarantine those devices running Bash, as well as monitor federal networks for suspicious traffic patterns that may indicate unauthorized access or a denial-of-service (DoS) attack.
The Department of Defense, a leader in the effort to implement CDM government-wide has already achieved substantial progress on bringing its systems on-line. In a recent Government Business Council survey of 156 defense IT personnel, at least 80 percent rate DoD’s CDM systems at a state of moderate to high state of readiness when it comes to detecting unauthorized hardware, software, vulnerabilities, and software misconfiguration on its networks.
While it is still too early to assess the full risk that Shellshock poses for the U.S. federal government and for the Internet at large, maintaining a proactive cyber posture and implementing CDM may limit federal IT systems’ exposure to a wide range of cyber attacks.