Shellshocked? What Software Bugs Teach Us About Security
October 20th, 2014
So the Shellshock/Bash software bug (ranked 10 out of 10 by the U.S. National Institute of Standards and Technology (NIST) in terms of “Severity”) has made massive headlines around the world, much like the Heartbleed revelations did this past spring. What most conversations seemed to be focused on is how Shellshock is – and is not – different than Heartbleed, so I thought it made sense to share thoughts on this topic as it continues to unfold.
Full IOT vs. “Only” Eavesdropping: Heartbleed primarily impacted websites and their servers (and some types of software). Beyond such affected websites, the list of software that was also impacted by Heartbleed was not incredibly long (although it did include some virtualization, anti-virus, and other software). The key here, however, is that the threat Heartbleed posed was in enabling attackers to steal passwords and listen to traffic in some cases.
By comparison, the Shellshock/Bash vulnerability had two significant differences. First, it impacts a significantly longer list of equipment due to the underlying impacted operating systems and therefore qualifies as perhaps the first significant bug (of which we will undoubtedly see others!) having to do with the “Internet of Things (IoT).” If we think about the latest generation of cars, thermostats, refrigerators, and other appliances increasingly entering our lives, incidents such as Shellshock should make you take stock and consider these implications. Second, Shellshock/Bash also enables attackers to take over a machine entirely, something Heartbleed did not enable.
Different Impact on Financial Institutions: What has gone largely under-reported is the fact that where financial institutions largely found themselves bearing the brunt of the public’s ire when it came to Heartbleed, Shellshock has thus far been remarkably different. On the heels of the Heartbleed discoveries, people were confused about “if, when, and how” they should – or should not – change their passwords. By comparison, Shellshock does not appear to have been as directly linked in the public’s eye to financial institutions, thereby sparing financial services organizations a level of scrutiny and criticism they’d experienced with Heartbleed. Only time will tell if this will somehow change.
Mainstream Public Perception: Whether it was Heartbleed itself, or Home Depot, or any of the other recent breach announcements, Shellshock comes at a time when the mainstream public is truly exhausted from the seemingly never-ending list of data breaches and system penetration incidents from rogue actions, hacktivists, foreign nation-states, and the like. What this could mean is one of two things: either the public is now educated about such matters (some articles report that 60% of Americans have heard of Heartbleed) and therefore people are resigned to accommodate their online and mobile habits to such realities or people simply want to stick their heads in the sand and ignore the security concerns and vulnerabilities that impact our daily lives in an increasingly directed manner. I think it is too early to tell what the public may be thinking – but it’s probably a little of both as people become smarter and more frustrated at the same time.
Legacy of Shellshock: Apparently Shellshock has existed since the Web’s dark ages, harking back to the 1980s with the codebase having begun in 1987 and this particular vulnerability having been introduced in 1992. I think you’d agree that 22 and 27 years is an incredibly long time in Web and Internet history. By comparison, the Heartbeat extension that inadvertently caused the Heartbleed vulnerability was introduced on December 31, 2011 and subsequently released in a widespread nature a few months later in March 2012, so it is much newer and perhaps therefore much more recognizable to people focused on its remediation.
And now we have Poodle – a different breed whose bark may be worse than its bite because it is (as of this writing) considered much less a threat than either Heartbleed or Shellshock. Nevertheless, Poodle appears as if it will still be bothersome to banks as hackers have one more element in their arsenal to use as a means of trying to access online accounts. As the BBC points out, whether it is a Poodle or a Heartbleed, or whether the threat is a NIST-rated 10 or a more modest 5, we all need to look at the one common element that these threats produce.
With dated infrastructure, financial services organizations need to adopt a robust and serious approach to risk management, assume more such revelations will come, and consider participating/supporting the various industry efforts now underway. For several reasons, I also don’t think it’s fair to assume that the financial services industry as a whole will abandon these protocols. First, these protocols are deeply embedded into most financial institutions’ infrastructures and they simply work so well. And last, they are fundamentally no different than many other types of software (that is also inevitably “buggy”) that could serve as a possible replacement.