Vulnerability in Bash – CVE-2014-6271 aka “ShellShock”

ei_logo_tm

Last week a vulnerability in a common system component called Bash was released.  This vulnerability, nicknamed ShellShock, enables a unauthorized actor to execute commands on any affected system.  Bash (short for the Bourne Again SHell) is a common application on Unix and Linux based systems, and provides a number of services to the operating system.

While most well known as a “shell” ( a text based environment for interacting with a system) the Bash program also provides services to other common applications, like web servers, SSH servers, and mail servers.  Since those types of services are often Internet facing, this vulnerability is especially serious.

Since receiving the initial information about ShellShock, the EI Security Operations team have been evaluating the risk to our customers and have begun a review of all systems, starting with Internet facing systems and moving to the internal networks.

At this time no action is necessary on the part of our customers.   Your EI account director will be reaching out directly to each customer this week to let you know when we have either cleared the risk or identified any vulnerable systems

We will be providing regular updates on this vulnerability, and are always available if any customer has a specific question or concern.

Additional details can be found at:
https://www.us-cert.gov/ncas/alerts/TA14-268A
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

How to keep yourself (and your wallet) safe

Obligatory opening shot of credit cards...  Boom!
Obligatory opening shot of credit cards… Boom!

In case you missed it, Home Depot has been in the news lately, the latest victim of an attack aimed squarely at their point of sale (POS) systems, looking to steal the credit card data of its customers.  We don’t have much in the way of details at the moment, and it took Home Depot a little over two weeks to respond publicly (see why covering up a breach typically backfires).  To their credit though, they do provide an update (actually an easy to find one on their front page).

Home Depot surely wasn’t the only major retailer to experience these attacks this year, and they (sadly) won’t be the last either.  So what can we do to stop these thieves?

pci-compliant-logo

On the merchant side, the latest version of the Payment Card Industry’s Data Security Standards (PCI DSS) go into effect on January 1, 2015.  The Payment Card Industry (PCI) Security Standards Council, a joint endeavor of the major credit cards brands in the world (Visa, MasterCard, American Express, JCB, and Discover), publishes these security standards for merchants processing credit card transactions.  While some have derided the PCI DSS as not going far enough, the purpose of these requirements is to create a minimum baseline for a security program, not the ideal end-state ceiling of total defense.

In version 3.0 of the PCI DSS, a few new items go into effect that should improve the overall security at these organizations.  Previous versions of the PCI DSS only required vulnerability assessments to be conducted internally.  Now organizations will be required to perform penetration testing both internally and externally.  The difference between a vulnerability assessment and a penetration test is vast: A vulnerability assessment is the equivalent of looking at a locked door to see if it’s locked, where in a penetration test we open the door and steal your XBox One.

Dramatic re-enactment....
Dramatic re-enactment….

In addition to providing detailed feedback on the methods an attacker would use, organizations will also get the benefit of a live training exercise to see how their own security teams can identify and stop these types of attacks in action.  A good step in the right direction indeed.

Be sure to check your statements regularly!
Be sure to check your statements regularly!

Personally, the best defense you can have to protect yourself is awareness.  Always check your credit and debit card statements.  If you didn’t make a purchase, you need to let your card issuer know immediately.  If they hassle you about returning the funds, perhaps it’s time to switch banks.  For every Home Depot and Target known breach, there are no doubt plenty of unknown breaches.  Don’t wait on external notifications to start looking.

If your information is compromised and you are offered free credit monitoring, take advantage of it!  Beware any emails you may recieve, as they may be scams.  Always check by going directly to the merchants website or calling their customer service numbers to confirm what monitoring programs they have for you first.

Some new technologies on the horizon may provide some relief too.  The credit card brands themselves are requiring breached merchants to implement the “chip-and-pin” system, or assume liability for future data breaches themselves.

Credit card with an embedded chip
Credit card with an embedded chip

The “chip-and-pin” system includes an embedded chip in the card that interacts with the payment terminal to create a unique code for each transaction.  It requires the card holder to use their PIN in order to activate the function, and provides additional security beyond the data stored in the standard magnetic strip that most cards in the US use today.

apple-pay

Electronic wallet technology has been advancing, and received a big boost yesterday when Apple announced their new offering in that space, dubbed Apple Pay.  The Apple Pay system eschews traditional passing of credit card numbers to merchants in exchange for one-time use tokens that authorize an individual purpose.  Stealing one of these tokens won’t provide any value to a thief.

GWallet

Similar approaches by Google, Square, and others may provide the relief we (and companies like Home Depot) are hoping for!

Thanks for reading, and stay safe out there!

 

Exposed Celebrities – Cloud Security Edition

hotdog

While most of America was 3 or 4 hot dogs into an outstanding Labor Day weekend, a few other individuals were working out how to access other people’s photos stored in Apple’s iCloud.  They succeeded, and promptly begin to advertise the existence of nude photos of various celebs they were now in possession of.  Which of course made the news.

I tend to glaze over the minute I hear “celebrity news” too, but stay with me for just a minute on this one.  To me, the big news isn’t the celebrity part, it’s that we keep forgetting that the “cloud” is really just someone else’s computer.  These computers aren’t magical, just running special services that enable all kinds of cool things, like constant over the air backups of your phone.

In this case, the attackers took advantage of a misconfiguration in the iCloud service that let them try big lists of potential passwords and usernames to find some matches.   And it worked.   An account lockout after a certain number of failed attempts, or using a two factor authentication would have prevented the attackers from gaining access.

setup_ios_free_icloud

Everyone who has an iPhone is a (potential) iCloud user.  Its possible to disable it altogether, but my guess is very very few folks ever do.  It’s so easy and convenient, and ensures you’ll always have access to your phone’s backup in case you need it.  This applies to Google if you’re an Android user, and Microsoft’s OneDrive if a Microsoft user.  We’ll never have control over these services, so perhaps we need to just adopt some new guidelines on using them.

1. Don’t take pictures you wouldn’t mind the whole world seeing.

2. Don’t use a simple password for your account.*

3. Enable 2-factor authentication whenever possible.

4. Don’t take pictures you wouldn’t mind the whole world seeing.

*Apple’s guide to enabling 2-factor authentication for iCloud is available here.

I’m reminded of an old analogy about email: Treat it like a postcard.  When a postcard goes through the mail, it is readable at every point of delivery.  If you need to keep something secret, send it a different way.  The same thing can apply to cloud services.  Leverage the benefits, but beware the risks.  If you do need to store some sensitive info, make sure you think carefully about where it should go.

Thanks for reading, and stay safe out there!