A computer bug which could allow hackers to take control of hundreds of millions of devices all over the world has been discovered, forcing governments to take immediate steps to protect their critical infrastructure.
The security flaw, dubbed “Shellshock”, was found inside a piece of software called Bash, which is used by Apple’s Mac operating system as well as Linux systems and internet servers relied upon by governments, banks and the military.
Last night, cyber-security experts suggested that people should stop using their credit cards for online purchases until a solution to the bug, which has existed for more than 20 years, is found and distributed.
The UK’s national cyber-security response team, Cert-UK, has issued an alert to all government departments stating that the Shellshock flaw carried the “highest possible threat ratings… for both impact and exploitability”. The US National Cyber Security Division gave it a score of 10 out of 10 for severity and a complexity rating of low – meaning it is easy for hackers to exploit. Cert-UK added that it should be “assumed” that many government computers and other devices would be vulnerable to the bug, adding: “This will inevitably include organisations that are part of the critical national infrastructure.” Many industrial control systems, from power plants to traffic light systems, rely on Bash software to function. Cyber analysts said last night that authorities must act immediately to close the loophole, pointing out that within hours of it being discovered, hackers had started exploiting the flaw, posting videos of their exploits online. Although software “patches” have already been distributed to deal with the problem, they are not thought to be fully effective.
Professor Alan Woodward, a security researcher from the University of Surrey, said more than 500 million websites and hundreds of millions of devices all over the world, including wi-fi routers, may be vulnerable to the Shellshock bug. “The thing that’s concerning me most is that we don’t yet really understand how it can be exploited,” he said.
“What we’re going to see over the next few days is people working out how to exploit this, and you’ll start to see different types of attack. Is it that they can syphon off all sorts of sensitive data? Can they steal people’s passwords? We don’t know yet – the attacks are being developed as we speak.”
David Jacoby, senior security researcher at internet security firm Kaspersky Lab, said: “The vulnerability is not targeting individuals, but servers hosted on the internet. This means that if, for example, your favourite e-commerce or banking website were vulnerable, the attackers could, in theory, compromise that server and gain access to your personal information, including maybe banking information.
“It’s very difficult to say exactly what platforms might be vulnerable and might have been targeted, but I would recommend that you do not actively use your credit card or share a lot of sensitive information for the next couple of days, until security researchers have been able to find out more information about this situation.”
6 notorious computer viruses and worms
6 notorious computer viruses and worms
1/4 Melissa (1999)
One of the first 'rock star' viruses, Melissa was authored by Kwyjibo (a Simpsons reference) and even inserted quotations from the cartoon into infected word documents. The virus itself appeared as an email with the text "Here is that document you asked for ... don't show anyone else ;-)" and was reportedly named after a stripper that its creator (David L. Smith) met in Florida.
2/4 Morris worm (1998)
One of the first ever computer worms (that's a virus that replicates itself rather than relying on a host program such as Word or Chrome) that was written by MIT student Robert Tappan Morris in order to gauge the size of the internet. Back of the envelope estimates suggest it infected around 10 per cent of the total internet-connected computers around (there were only around 60,000) while Morris ended up as a professor at MIT.
3/4 Chernobyl virus (1998)
One of the most damaging viruses of all time, CIH or Chernobyl is thought to have caused nearly $1bn in damage after infecting some 60 million computers and targetting their BIOS chips. The virus activated yearly on April 26th (though its creator claimed he didn't know the significance of the date) and was so prevalent that it was even spread via CDs distributed with computing magazines.
4/4 Stuxnet worm (2010)
Perhaps the most infamous bit of government-sponsored cyber warfare, Stuxnet was built to target Iran's nuclear capabilities, infecting their refinement systems and supposedly setting back their nuclear program years. Although no-one has officially taken responsibility for Stuxnet, there's been a lot of wink-wink nudge-nudging from senior figures in the Israeli and US military.
Shellshock was initially compared to the “Heartbleed” bug reported in April, a web encryption flaw which went unnoticed for more than two years and could have given hackers access to an unlimited array of customers’ secure data.
But Kasper Lindegaard, director of research at computer security firm Secunia, said the bug inside Bash was far more dangerous. “Heartbleed only enabled hackers to extract information. Bash enables hackers to execute commands to take over your servers and systems. We have only seen the tip of the iceberg so far,” he said.
A spokesperson for the Cabinet Office said the Government’s computer security advisers were attempting to tackle the problem.
“Cert-UK is working with partners and industry to ensure that organisations are able to patch their systems as soon as possible. Government is also working to ensure that its own systems are secure,” they said.Reuse content