A worrying new security vulnerability has muscled its way onto the Internet, and world-leading security experts are saying it’s even worse than this year’s Heartbleed fiasco. Called “Bash” or “Shellshock”, the security flaw is inherent to a computer’s shell. This is the user interface that accesses operating systems like Command Prompt, and means that many Linux, UNIX, and some BSD systems (including Apple’s OS X) are vulnerable. Worryingly, the ubiquitous nature of the bug means that a large percentage of software is engaged in constant interaction with the shell. Consequently the bug can infiltrate software in a number of different ways.
So what can you do to protect yourself against this frightening new bug, and how can you avoid Shellshock? Well, the answer is basically the same as it’s always been. There’s no special tool or patch that’ll keep you protected from Shellshock. It’s just pure, common-sense cyber security.
1. Keep Windows, OS X and Linux up to date
Unlike a lot of malware out there, the new Shellshock breed is capable only of infecting Apple computers running OS X and any machine running Linux — basically any operating system based on UNIX. As such, it’s important to keep your operating system up to date to ensure that it has the latest security patches and vulnerabilities aren’t left undetected. While it’s not clear whether Shellshock affects Windows machines, it’s always best to keep everything up to date anyway.
While there aren’t any specific updates dealing with Shellshock right now, all the major companies will be scrambling to fix the opening, and updates should be coming soon.
2. Patch Bash and backup your data
To mitigate the risks involved, Toyin Adelakun of Sestus advised: “the urgent advice is to immediately patch or update the bash software. That applies both to servers as well as clients (i.e. individuals’ systems) such as Apple MacBooks and Mac Pro desktop computers. Because they affect both client and server computers, and because they could lead to data leakage directly from computers, these risks do indeed potentially surpass those of the Heartbleed bug”.
Internet users should also ensure that all sensitive data is backed up, and make sure that no data that could compromise their company or any other organization is stored on their personal computers.
“People should not only protect their computers, but also ensure that they back up their data regularly,” said security expert David Emm of Kaspersky.
3. Perform proper security maintenance
GetSafeOnline.org has published a list of downloads it recommends to keep yourself protected.
Unfortunately, the massive demand for the service is causing the website to crash, and it’s been offline for about 24 hours now. Not very helpful, we know — but hopefully it’ll be up and running soon enough.
4. Use a password manager
Phishing gets a lot easier once the attacker has access to your personal data. Using long, complex passwords, and different passwords for each site you access will maximize your security on this front if you’re not feeling up to that, why not get a password manager?
We’ve written up a rundown of all the best password managers available, so go check that out.
5. Don’t open suspicious links
How many times do we have to tell you? Don’t open them! If you don’t know where an email came from, don’t open it. If you weren’t expecting an email from a colleague, don’t open it. If the message in the text is generic and could have come from anyone, don’t open it.
Don’t rely on hovering over the link to see the URL, either — hackers are becoming more and more sophisticated at spoofing legitimates URLs in order to infect you with malware. This is the single most common vector of attack, so protect yourself from fake emails, and you’ll be laughing.
6. Stay informed!
Make sure you stay abreast of developments. We’ll be following the story as it develops.
The message is always the same — make sure your antivirus software, and firewall, and everything else designed to protect you is up to date.
a business, audit your ENTIRE IT estate regularly so you understand your exposure and can make prudent decisions based on accurate data. Patch wherever and whenever possible to remove threats. Minimize exposure but limiting access to data where patches cannot be applied — and then pressurize dependent software providers to upgrade their applications.