Page 1 of 2 12 LastLast
Results 1 to 15 of 22
  1. #1
    5 Star Lounger
    Join Date
    Jan 2011
    Location
    Seattle, WA
    Posts
    1,070
    Thanks
    42
    Thanked 132 Times in 86 Posts

    What 'Shellshock' means to you and me




    TOP STORY


    What 'Shellshock' means to you and me


    By Susan Bradley

    A Linux/Unix-based vulnerability, Shellshock, has an impact that reaches far beyond one operating system.

    As with Heartbleed, Windows users can't ignore this threat. But the most difficult aspect of this outbreak is determining which devices are actually vulnerable.

    The full text of this column is posted at http://windowssecrets.com/top-story/...to-you-and-me/ (opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

  2. #2
    Lounger
    Join Date
    Dec 2012
    Posts
    30
    Thanks
    4
    Thanked 1 Time in 1 Post
    It's gratifying for a change to hear that there's an attack made just for Unix and not for Windows.

  3. #3
    5 Star Lounger RussB's Avatar
    Join Date
    Dec 2009
    Location
    Grand Rapids, Michigan
    Posts
    803
    Thanks
    10
    Thanked 50 Times in 49 Posts
    Quote Originally Posted by GSAugustas View Post
    It's gratifying for a change to hear that there's an attack made just for Unix and not for Windows.
    Not to be mean or anything but this is one of the most repulsive comments on computer virus attacks that I have ever seen.
    Do you "Believe"? Do you vote? Please Read:
    LEARN something today so you can TEACH something tomorrow.
    DETAIL in your question promotes DETAIL in my answer.
    Dominus Vobiscum <))>(

  4. #4
    5 Star Lounger RussB's Avatar
    Join Date
    Dec 2009
    Location
    Grand Rapids, Michigan
    Posts
    803
    Thanks
    10
    Thanked 50 Times in 49 Posts
    That may be, however as a Vietnam veteran I still have other connotations to the term "shell shock".
    Do you "Believe"? Do you vote? Please Read:
    LEARN something today so you can TEACH something tomorrow.
    DETAIL in your question promotes DETAIL in my answer.
    Dominus Vobiscum <))>(

  5. #5
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,175
    Thanks
    47
    Thanked 981 Times in 911 Posts
    And the attacks are not "made" for Unix, it's a pre-existing flaw that has been recently discovered, much like the Windows / Apple / phone flaws.

    cheers, Paul

  6. #6
    Lounger
    Join Date
    Dec 2012
    Posts
    30
    Thanks
    4
    Thanked 1 Time in 1 Post
    I beg your pardon. I meant the comment as sarcasm. Almost everybody and his grandfather attacks Windows because it is frequently the target of virus attacks and defends Unix (and Linux) for the same reason. I, for one, find it refreshing that for once, there is a virus that explicitly attacks Linux and not Windows. So all those Windows naysayers can take notice.

  7. #7
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    I just had to chime in here.

    First, I agree that calling anything ShellShock is a bit insensitive to our brave military veterans.

    Second, there is a common myth that Linux is only about 3 percent or less of the market. That's only true of desktop OS installations.

    Devices ranging from routers to cars to refrigerators may be using Linux (or embedded Windows for that matter) and may be attacked for the reason that who would think of testing networked devices as attack vectors?

    Linux and UNIX are widespread in server applications, which includes websites and banks. Just to name a couple of the biggest areas we should be concerned with. Also affected may be retail backend systems, where contractors are often not adequately supervised and restricted.

    Let's remember that Apple users were afffected by this and a previous BASH bug. That's not small potatoes these days. Android is also possibly vulnerable to Shell-based attacks, though not to ShellShock.

    Third, while I enjoy a bit of back and forth between Windows users and Linux users, I think it's time to get past being in one camp or another between the various OSes available today. Different form factors and applications environments may benefit from one or another OS, and no one OS is perfect for every application environment.

    We are moving toward a time when users will select devices and Apps not by brand or type (Windows vs. Apple, etc.) but by what the device or App does, and how well it fits each individual user's needs at the moment. In such a world, we all should have some level of comfort working with a diverse array of devices, form factors, GUIs and OSes.

    Just my thoughts -- others are entitled to their own opinions.
    -- Bob Primak --

  8. The Following User Says Thank You to bobprimak For This Useful Post:

    Orange Kitty (2014-10-04)

  9. #8
    3 Star Lounger
    Join Date
    Dec 2009
    Location
    Courtenay, BC
    Posts
    244
    Thanks
    9
    Thanked 16 Times in 15 Posts
    Thanks, Susan. Great to have a nice summary.
    What I found in searching was either a lot of noise (fog) or an absence of info. It also seems some "tech" sites are using peoples concerns to garner site hits. I checked for my NAS and found a whole bunch of sites mentioning ShellShock in meta info where there was no info on the actual page. Sheesh. Seems I need a plugin to start blacklisting some domains...

  10. #9
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,746
    Thanks
    171
    Thanked 649 Times in 572 Posts
    Quote Originally Posted by bobprimak View Post
    Second, there is a common myth that Linux is only about 3 percent or less of the market. That's only true of desktop OS installations.
    There's also a common myth that Linux is more secure by design or default:

    Quote Originally Posted by bobprimak View Post
    That said, there is, last I knew, little or no known Linux malware which can be transmitted or run from remote sources. Hence the Linux security edge. It's the OS itself, not how you run it.
    Quote Originally Posted by bobprimak View Post
    When properly configured, Linux has no known in the wild malware which can be transmitted over the Internet and executed locally without user intervention (last I read).
    Quote Originally Posted by bobprimak View Post
    So if all of the Web worked under Linux, this would be a safe alternative to Windows.
    Bruce
    Last edited by BruceR; 2014-10-02 at 20:55.

  11. #10
    New Lounger
    Join Date
    Oct 2011
    Location
    Warrington, PA
    Posts
    10
    Thanks
    3
    Thanked 1 Time in 1 Post
    What I DON'T understand is, aren't ALL shells capable of executing a remote shell? Many years ago, we used CSH when the system was delivered and would rlogin to another device to check on the progress of a program. We used ZSH for build menus and BASH for other menus. BSH was preferred for simpler syntax on some loops. And for anything lethal, you had to SU with a password. Aren't the capabilities of any shell are controlled by the passwd file (which could only be updated with the root password)?

  12. #11
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,175
    Thanks
    47
    Thanked 981 Times in 911 Posts
    Not if you manage to use a vulnerable shell with root access, such as DHCP. It's the unknown nature of this exploit that is the major issue.

    cheers, Paul

  13. #12
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Quote Originally Posted by BruceR View Post
    There's also a common myth that Linux is more secure by design or default:

    Bruce
    Still not a myth. Not yet anyway. (We have yet to see how secure Windows 10 and its Server companion will be in the wild.)

    Before this thread (in other Lounge threads) I noted that Linux had (at the time) only a handful of remote exploits known. Those statements, while accurate at the time, need to be modified in light of the recent attacks on Linux servers.

    The fact still remains that most of the attacks which happen each day are directed at Widnows PCs and servers, and especially at Windows browsers, plugins and runtimes. End users should not be misled into thinking that all is well now with Windows security, just because Mac, Linux and UNIX are also under attack.

    I do not condone the lack of updates and security testing for over 20 years which led Linux to become vulnerable to the ShellShock attack (among other recent attacks). Linux developers clearly had become complacent about the possibility of remote attacks.

    Let's remember that ShellShock is not a kernel-level vulnerability, but rather a Shell-level flaw (or several flaws). So the underlying Linux kernel remains quite secure. Contrast this with the monthly Windows kernel-level driver patches (which are causing Blue Screens for some Windows users).

    Linux was attacked long after Windows for good reasons, not just because of its small penetration into the desktop OS market.

    Linux is more difficult to attack than Windows. Attackers preferred attacking Windows until Windows security was tightened up, often by or at the urging of third-party security firms and their products. Finally, Windows, especially Windows 8 and Windows 10, have become secure on nearly a par with Linux and Mac OS, so attackers are looking at the more-secure (generally) "baby 'NIXes" in desperation.

    As a result, some previously overlooked flaws in UNIX and its descendants are now coming to light, and far from being an embarrassment and a cause for denials, these revelations are prompting (belatedly) UNIX, Linux (and Apple) security pros to look deeper and to start taking even more seriously, their responsibilities to their end-users to renmain vigilant about security risks specific to the 'NIX OSes.

    I still find it enlightening that only hours to days after serious and widespread Linux flaws have been revealed, Linux developers have found or created security fixes and patches, then distributed them with great speed to end-users. My Ubuntu has had patches for SSL, ASH (DASH in the case of Ubuntu) and Python flaws within days of the screaming headlines at Wired and other online tech tabloids about The Death of Linux, or some such nonsense. I have rarely if ever seen Microsoft or Apple move so swiftly to shore up their OS security when flaws are revealed.

    Once revealed, the ShellShock vulnerability did not take 20 years to patch. It took about 20 hours.

    So while it may be argued that Windows security is perfectly adequate for most users, and Linux security is not impervious to attacks, I still would rather put my bets on Linux and its wordlwide community of developers, than Microsoft and its closed and often inward-looking attitude toward security patching.

    You of course are entitled to your own point of view.

    Windows is not the wrong choice, but neither is Linux. Both are right, for those times and places and users for which they are the best fit.

    In this day and age, one size, and one OS, does not fit all situations or all users.
    Last edited by bobprimak; 2014-10-07 at 14:35.
    -- Bob Primak --

  14. #13
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Quote Originally Posted by Paul T View Post
    Not if you manage to use a vulnerable shell with root access, such as DHCP. It's the unknown nature of this exploit that is the major issue.

    cheers, Paul
    What is "unknown" about ShellShock? It has been well documented what went wrong, a few secondary flaws have been documented, and all have now been patched. If new flaws are found, they too will be swiftly adressed by the OpenSource Community. I can't say what Apple will do if further Mac OS flaws are found.

    The problem with devices is that manufacturers have been downright arrogant about never signing code, never issuing timely firmware patches, and leaving firmware open to third-party modifications when it makes no sense whatsoever to do these things.

    It will not take ten years to patch these Linux shell flaws, and the recently revealed USB and Plug And Play security flaws, if manufacturers start taking security seriously in their products. These issues could be addressed in ten weeks or less. Ironically, the main mechanism would be firmware updates sent out over the Internet.

    Devices which cannot be upgraded should be discarded by end-users. These cases are few in most households. Some businesses might be in a more difficutl situation, but I don't follow business-class hardware.

    The device security problem must be addressed, if the Internet of Things with web-connected devices, is ever to take off and be accepted by the general public.

    You might think USB, Cloud Storage (iCloud) and Linux ASH Shell languages are very different and separate things. In some ways they are, but as they all relate to the Internet of Things, all are intimately related and must be secured in tandem.
    Last edited by bobprimak; 2014-10-06 at 16:53.
    -- Bob Primak --

  15. #14
    Silver Lounger wavy's Avatar
    Join Date
    Dec 2009
    Location
    ny
    Posts
    2,371
    Thanks
    235
    Thanked 147 Times in 136 Posts
    This spurred me to try updating my Mint 14 installation again with no luck again. Its looking like I might be forced to go to 17. Fortunately my TV is not on the internet, well cable but I doubt that this counts.
    David

    Just because you don't know where you are going doesn't mean any road will get you there.

  16. #15
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,175
    Thanks
    47
    Thanked 981 Times in 911 Posts
    Quote Originally Posted by bobprimak View Post
    What is "unknown" about ShellShock?
    Only the possible exploits, not the flaw.

    cheers, Paul

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •