Shellshock: Panic at 'worst ever computer bug' sees governments race to protect critical infrastructure

Consumers urged not to use credit cards online as cybersecurity experts say bug carries 'highest possible threat ratings'

Chris Green,Oscar Williams-Grut
Friday 26 September 2014 13:01
comments

A computer bug which could allow hackers to take control of hundreds of millions of devices all over the world has been discovered, forcing governments to take immediate steps to protect their critical infrastructure.

The security flaw, dubbed “Shellshock”, was found inside a piece of software called Bash, which is used by Apple’s Mac operating system as well as Linux systems and internet servers relied upon by governments, banks and the military.

Last night, cyber-security experts suggested that people should stop using their credit cards for online purchases until a solution to the bug, which has existed for more than 20 years, is found and distributed.

Professor Alan Woodward, a security researcher from the University of Surrey, said more than 500 million websites and hundreds of millions of devices all over the world, including wi-fi routers, may be vulnerable to the Shellshock bug. “The thing that’s concerning me most is that we don’t yet really understand how it can be exploited,” he said.

“It’s very difficult to say exactly what platforms might be vulnerable and might have been targeted, but I would recommend that you do not actively use your credit card or share a lot of sensitive information for the next couple of days, until security researchers have been able to find out more information about this situation.”

Shellshock was initially compared to the “Heartbleed” bug reported in April, a web encryption flaw which went unnoticed for more than two years and could have given hackers access to an unlimited array of customers’ secure data.

But Kasper Lindegaard, director of research at computer security firm Secunia, said the bug inside Bash was far more dangerous. “Heartbleed only enabled hackers to extract information. Bash enables hackers to execute commands to take over your servers and systems. We have only seen the tip of the iceberg so far,” he said.

A spokesperson for the Cabinet Office said the Government’s computer security advisers were attempting to tackle the problem.

“Cert-UK is working with partners and industry to ensure that organisations are able to patch their systems as soon as possible. Government is also working to ensure that its own systems are secure,” they said.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

View comments