Criminals may already be accessing people’s personal data by exploiting a massive security flaw affecting hundreds of millions of computers and other devices across the world, the UK’s privacy regulator has warned.
The Information Commissioner’s Office (ICO) sounded the alarm as the first evidence emerged of hackers exploiting the bug, dubbed “Shellshock”. The flaw – contained within a piece of software called Bash, which is used by operating systems and internet servers the world over – potentially allows any computer with the vulnerability to be remotely controlled.
Both the UK and US governments have issued national alerts in response to the bug, warning that it may compromise organisations responsible for “critical national infrastructure” such as power stations if it is not rapidly dealt with.
The Independent understands that British authorities are so far unaware of any confirmed reports of a hacker successfully compromising an important system. However, a comprehensive solution to the problem has yet to be found, meaning the window of opportunity for malicious hackers remains open.
In a statement issued today the ICO said the Shellshock flaw “could be allowing criminals to access personal data held on computers or other devices”, which “should be ringing real alarm bells” for British businesses which are legally obliged to keep their customers’ details secure.
The ICO added: “The worst thing would be to think this issue sounds too complicated – businesses need to be aware of this flaw and need to be monitoring what they can do to address it. Ignoring the problem could leave them open to a serious data breach and ultimately, enforcement action.” Individuals worried about their personal information being accessed are being advised to look out for security updates and install them on their machines as soon as they are available.
The bug was discovered on 12 September by Stephane Chazelas, a 38-year-old French software developer who lives in Edinburgh. In an email conversation with The Independent today, he said he had uncovered the flaw “by chance”, likening it to “the kind of thought you get when stepping out of the shower”.
6 notorious computer viruses and worms
6 notorious computer viruses and worms
1/4 Melissa (1999)
One of the first 'rock star' viruses, Melissa was authored by Kwyjibo (a Simpsons reference) and even inserted quotations from the cartoon into infected word documents. The virus itself appeared as an email with the text "Here is that document you asked for ... don't show anyone else ;-)" and was reportedly named after a stripper that its creator (David L. Smith) met in Florida.
2/4 Morris worm (1998)
One of the first ever computer worms (that's a virus that replicates itself rather than relying on a host program such as Word or Chrome) that was written by MIT student Robert Tappan Morris in order to gauge the size of the internet. Back of the envelope estimates suggest it infected around 10 per cent of the total internet-connected computers around (there were only around 60,000) while Morris ended up as a professor at MIT.
3/4 Chernobyl virus (1998)
One of the most damaging viruses of all time, CIH or Chernobyl is thought to have caused nearly $1bn in damage after infecting some 60 million computers and targetting their BIOS chips. The virus activated yearly on April 26th (though its creator claimed he didn't know the significance of the date) and was so prevalent that it was even spread via CDs distributed with computing magazines.
4/4 Stuxnet worm (2010)
Perhaps the most infamous bit of government-sponsored cyber warfare, Stuxnet was built to target Iran's nuclear capabilities, infecting their refinement systems and supposedly setting back their nuclear program years. Although no-one has officially taken responsibility for Stuxnet, there's been a lot of wink-wink nudge-nudging from senior figures in the Israeli and US military.
Asked what his feelings were when he realised how dangerous Shellshock could be, he said: “That got a bit scary. I discovered a few other vectors which were a lot worse than the original one I was reflecting on that allowed hacking in many websites – and I envisaged that the list of possible infection vectors could be endless.”
Mr Chazelas immediately reported what he had found to Chet Ramey, a 49-year-old American programmer working at Case Western Reserve University in Ohio, who maintains the Bash source code. Mr Ramey has since said he probably inadvertently introduced Shellshock alongside a new Bash feature in 1992.
Asked whether other similarly dangerous bugs might be lurking in other commonly used pieces of software, Mr Chazelas replied: “Of course, there will always be bugs, some of those will always be vulnerabilities. We can only work at making things better.”Reuse content