Shellshock Leaves Deep Impact on Network Security
by VPNHaus | 10/08/2014
For the last 30 years, a common line of code found in a piece of software has quietly been a dormant security vulnerability – but now, news of the exploit has gone public, sending the network security community into reaction mode.
The Shellshock vulnerability can be traced back to Bash, a command shell that is commonly used across the Internet on Linux and UNIX platforms. Bash translates user commands into language a computer can understand and then act upon. In the case of Shellshock, hackers could exploit Bash by issuing arbitrary software commands, potentially allowing them to control systems.
In the immediate aftermath of Shellshock's discovery, security experts claimed the exploit had surpassed last spring's Heartbleed as the worst software vulnerability of all time. One reason is that Shellshock's reach could be even greater than the Heartbleed vulnerability, which only affected software using the OpenSSL encryption protocol. Shellshock's reach could even extend to Internet of Things devices, since their software is built on Bash script.
For the last few weeks, website administrators have been making the necessary updates to protect users. Within a week of the vulnerability going public, Amazon, Google and Apple responded with patches and internal server updates.
Even so, it will take some time for the fallout from Shellshock to subside.
The Year of the Cyberattack Continues
This year has not been kind to the network security community. Although the Target breach occurred in 2013, the fallout has continued well into this year. Then came attacks at Neiman Marcus, eBay and, just last month, Home Depot. And, of course, Heartbleed and Shellshock.
Even in the last few weeks, news broke that more than 200 stores in the Jimmy John's sandwich chain were breached by a remote hacker who stole customer credit and debit card information. And just like in the Target breach, where hackers infiltrated the network through an HVAC contractor, a third party of Jimmy John's was also to blame – attackers gained network access and login credentials from a point-of-sale vendor.
The Jimmy John's attack provides yet another example of why network security isn't as straightforward as guarding against attacks just on the immediate network. Every network endpoint is a potential attack vector, whether it's part of the direct network or operated by a third party who only accesses the network occasionally. This is why it's so critical for network administrators to implement secure VPNs, as part of a comprehensive, layered, defense in-depth approach to network security.
Now, there have been reports that some VPNs could be vulnerable to attacks launched through the Shellshock exploit, but it's important to note that these remote attacks only apply to servers rooted in OpenVPN. VPNs using the proven IPsec standard, on the other hand, ensure privacy, shield remote users from a range of malicious attacks, and serve as another line of defense.
And in the fight against Shellshock, users need every defense mechanism they can get their hands on.
Want to learn more about remote access VPN?
- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs