‘Shellshock’ In Plain English: Latest Security Vulnerability is a Big One

September 25, 2014

Many network administrators and information security folks are feeling the effects of the ‘Shellshock’ bug, this morning.  The bug has been confirmed as ‘worm-able’, and proof-of-concept code is already bouncing around.
(source: Errata)

In many ways, Shellshock is worse than Heartbleed.  Here is a quick, plain English breakdown of the vulnerability:

What Shellshock Is:

It’s an attack that does not require the attacker to ‘authenticate’ to the system or server being attacked.  In other words- the attacker does not have to have a username/password, or break passwords.

What the attacker can do:

Everything up to full control of the compromised device/system/server.

What Shellshock affects:

Linux, Mac OS/X or any device that uses a ‘Bash’ Linux command-line (most internet connected devices).

If you read that it only affects Linux systems/servers- don’t breathe a sigh of relief just yet!  Most of the ‘Internet-of-things’ devices (Cameras, refrigerators, TVs, etc.) use a form of Linux, and are potentially vulnerable.  In addition, if you are running ‘SOHO (Small Office/Home Office)’ wireless access points, managed switches, and routers, or if you are using a store-bought Firewall/Cable modem then you may be vulnerable.

If you rely on IT support, and they tell you that there is ‘No problem- we don’t allow shell or terminal access to the outside world’, then you need to point out to them that is not the entire attack vector:  Any process, or program that IS accessible, that sends commands to the shell, is potentially vulnerable.  It is not always obvious which programs or services do this, behind the scenes.

So what can be done?

Review and Confirm: Check your systems, servers, and devices to see if they are, in fact, potentially vulnerable.

Patch:  A number of the primary Linux shell versions had patches available within hours.

Keep an eye out for firmware updates for your internet devices: Internet connected TVs, Wifi access points, SOHO-class firewalls, Network storage devices, internet connect cameras, etc.

Kill Non-essentials: Consider turning off, or disconnecting, non-essential ‘internet-of-things’ devices until a patch is available for them.

BE ALERT FOR PHISHING SCAMS:  So-called ‘spear phishers’, and scammers of every ilk, like to use these well-publicized security issues to trick people into downloading malicious programs.  Always deal with a known security site, or directly with the manufacturer.


Patch NOW (the Register)

Shellshock bug (the Mirror)

TECHNICAL: CVE-2014-6271 (NIST.gov)


Open Source and the Digital Forensics Lab

March 18, 2009

A while back I wrote an article for Evidence Technology magazine entitled “Seven Uses of Open-Source Software for the Digital Forensic Lab.” The article was primarily targeted towards law enforcement agencies that were having trouble getting funding for their labs.  In addition to building the case regarding cost savings, I discussed other advantages to running open sourced tools.

At recent conferences I have been increasingly approached by law enforcement as well as corporate investigation teams for advice on dealing with budgetary constraints, so it seems time to resurrect the topic.

Here is a summary of the “Seven”, the original article is here:

  1. Case Management: Although designed for CRM functions, SugarCRM actually makes a great inexpensive case management system.  It has the added advantage of allowing you to maintain a local copy instead of “the cloud”.
  2. Acquisition: The flexibility of “dd” for everything from imaging to memory and file carving makes it the number one contender in this category.  If you must have a MS based solution then you can also try FTK’s Imager lite (not mentioned in the original article).
  3. Analysis: Brian Carrier’s work on The Sleuth Kit with the optional graphical front-end of Autopsy is very worthy of support (tip of the hat to Dan Farmer and Wietse Venema for their original work on “The Coroner’s Toolkit”).  TSK has the added benefit of being scriptable (I use shell or PERL to get the job done).  You can check out TSK here.
  4. Miscellaneous: Stegdetect for dealing with steganography, Ophcrack for system passwords, Foremost or Scalpel for scriptable file carving.
  5. OS support: Linux.  You have access to libraries for NTFS, HFS++, etc. as well as everything you need for MS documents via OpenOffice 3.0. I have had great success with Ubuntu and variations (Mint).
  6. Virtual Platforms: At the time I wrote the article VMWare was offering their player and pre-made virtual systems for download.  If you are running off of a Mac you can use Parallels (not free, but very inexpensive) to run various pre-builds of Linux.  Even more compelling is Live View, which allows you to virtually mount and run a dd image without modifying the underlying image.  You can find Live View here.
  7. Mobile Acquisition and Analysis: Helix is no longer free, but those guys at e-fense  have given so much value to the rest of the world for so long via Helix that I say “Good on them!”.   You can also check out Backtrack 3 – just be aware that you run the risk of altering data if you boot up incorrectly with Backtrack.

What are some other “Can’t miss tools”?  Drop a comment in and tell the rest of us.