By Mehul Shah, Chief Strategy Officer, Indusface

Heartbleed or Shellshock

There have been several atrocious security vulnerabilities announced in the last few months, with “Heartbleed” in web servers and Shellshock in shell command lines. There are too many questions in the air “Are Heartbleed and Shellshock really serious? Which one is more dangerous?” Few security skeptics may also treat these as ‘hypes’ and try to ignore by saying “So Shellshock is the newest vulnerability; the last time they said that, it was Heartbleed…how many times you’ll scare me?!”

So let us try to make few points straight to our readers. You’re right to be skeptical, but don’t let that skepticism abstain you from keeping your data safe.

Heartbleed or Shellshock? – It’s like ‘between The Devil & The Deep Blue Sea’!

Both the vulnerabilities have been around for years and affected components are embedded in lots of hard-to-reach areas.  The vulnerabilities are in open-source code.  Vendors love to use open source components for applications and devices, especially embedded ones, because they’re cheap and legally unencumbered.  But there’s a down side: many open source components, even widely used ones like OpenSSL, aren’t always maintained as carefully as they should be.

Heartbleed vulnerability was discovered by three researchers — Neel Mehta from Google and two others. What this vulnerability does is allow a malicious user to steal sensitive information such as private keys, passwords etc. The vulnerability is present in a module of OpenSSL called TLS heartbeat extension which is used to generate heart beat messages. Hence the name Heartbleed for this vulnerability. This heartbeat handshake is usually done during the negotiation time of the SSL protocol and much before https takes over, in case SSL is used under https. Thus, the vulnerability is not present in layer 7 but rather at layer 4.

Bash is the software used to control the command prompt on many Unix based computers. Hackers can exploit a bug in Bash to take complete control of a targeted system. Right from routers, to all kinds of other systems, shell scripts are used, and this vulnerability can play havoc. In fact, the bash shell is so ubiquitous that it may be impossible to know the full extent of this vulnerability. You may be vulnerable even if you are using shell to connect to a remote system. The way out is to upgrade your shell to the latest version. Patched bash shells are now out from various vendors. The other workaround is to insert WAF signatures to block this vulnerability/exploit in case you are running a website.

In the case of Heartbleed, the best advice was to wait for your favourite sites to patch themselves, then change your passwords. For Shellshock, you should patch your Mac or Linux computer, and then hope that everyone else – especially system administrators and engineers -does the same. Plus, while researchers say they’ve seen the effects of both exploits in the wild, it’s not like people are losing their computers or flooding tech support hotlines with calls about broken computers – not the way we saw back in the early 2000s when viruses made the evening news.

Conclusion:

When you hear about these types of vulnerabilities, they’re worth sitting up and paying attention to, especially if you work in IT, or are in a position to actually do something about it. And if you can patch your own computer, you should. It’s easy to get fatigued when it seems like every week there’s a new hack, more credit card numbers lost, and more passwords to reset, but things aren’t about to change soon, and those hacks deserve at least enough attention to make sure your bases are covered and your data is protected.

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.