So we just recovered from Heartbleed, which was considered one of the top security issues of all time, when along comes a potentially even larger problem: the Bash Bug, or Shellshock Bug. The news broke yesterday via CERT. But, what's happening this time? You'll find this news all over the Internet, so we're going to break it down for you and give you the need to know.
Are You Shellshocked by the Bash Bug?
Who is Affected by Bash Bug?
Bash Bug affects users of Bash, software that is used in many operating systems, including Linux (which powers many hosting providers - ie. probably your website), and Mac's.
What Are Hackers Using Bash Bug For?
Hackers have been able to find a way to fool web servers into running commands they give them. So far, they have been able to hijack vulnerable machines and setup so-called BotNets, or networks of infected computers, which they can then use to build up powerful networks to do their dirty deeds. The scary part is that the vulnerability exploits such an elementary part of the Bash code that it is very easy for hackers (takes less than an hour) to exploit.
Why Could Bash Bug be Worse than Heartbleed?
Because while the Heartbleed bug may have given hackers unwanted access to information, Bash Bug gives them outright control over that information - which means hackers can use the Shellshock vulnerability to hack in and actually destroy data. The scary part is, aside from a couple of patches, there's no real fix as of yet and they're not sure how many machines are or may be infected.
The bash bug vulnerability can also be used to create a worm, an infected network which replicates itself, meaning it can quickly grow large and out of control. Worms can build up networks powerful enough to take down entire server networks, infrastructure systems (power grids) or worse. For the time being, hackers are apparently laying low so as not to attract attention from governments and law enforcement while they plot their next move.
What Steps Can I Take to Protect Myself From Bash Bug?
If you own or run a Mac make sure to run all security updates immediately. Don't keep sensitive data lying around on your Macbook, and disable Wifi if not in use (especially when traveling). Use strong passwords for your online services and documents, and enable 2-factor authentication if your provider offers it.
If you own or run a website, you'll want to secure your website asap. Get in touch with your hosting provider and find out what you can do to secure your sites, in addition to the measures they're taking on the backend. If you are running a self-hosted Wordpress site, you should look into a security plugin such as BulletProof, and follow the installation recommendations to secure your website from DOS attacks and other vulnerabilities. And of course, keep your Wordpress installation, themes, and plugins updated!
Consider Identity Theft Protection
It's easy to sign up for an ID theft protection service. With all of the Internet security issues, there are many companies offering identity theft protection services. Such a service will typically scan the Web to see if anyone is using your name, identity, or login credentials (ie. email). They will notify you if they notice any fraudulent login attempts, opening of credit card accounts in your name, or if any of your accounts are compromised.
You can also stay up to date on your credit score and receive other useful perks. We cover the top identity theft protection companies in our ID theft reviews article. To the right I've added a table of our top 3 winners for your convenience.
Should I Change My Passwords? How do I Create a Secure Password?
Even once Bash Bug is patched and secured, your data is only as secure as your password and the encryption mechanisms used by the service you login to. We encourage you to:
- Only login to websites that ask for or store sensitive data if your browser verifies they are secure (in the browser address bar, you'll see a lock symbol or color, and an alert icon if there's an issue).
- Use 2-factor authentication (you verify your identity with an additional code provided to your phone or email) if your service offers it (many, including Google, do). This prevents unauthorized users from accessing your accounts with only your password.
- If a site has been compromised for which you used a password elsewhere, consider that password compromised. You should change it everywhere. As a rule of thumb, it's a good idea to use a different password for each site. Consider a password solution such as LastPass to keep track of all your pw's for you. See our video below for more password tips.
We've created a video that details how you can create a secure, not readily hackable password. This should help protect your data independent of the Shellshock Bug issue.
Have questions/concerns about bash bug? Have a shellshock security tip or news you wish to share with our readers?