Advertisement

Shellshock: Online attacks are evolving, but you can easily protect yourself against bugs

Whenever there's a new computer bug, or weakness in a major system, the media (yes, even us) are guilty of splashing the news across television and computer screens, jumping on the buzzwords of the day like "shellshock" and "bash bug."

And while these are often significant problems that are being reported on, the reality is that by the time you read about it in the news, a fix has probably already been created for it or is in the works. Once it gets to that point, the onus then falls on you to make sure you're taking the right steps to protect your computers.

That was largely the case with Shellshock, a bug identified last week by a researcher who came across it while delving into Bash, or Bourne-Again SHell, a type of computer program that allows humans and computers to communicate with one another. Bash is used in the Mac OS X operating system, as well as Linux and Unix. Unless you're weeding into the nitty-gritty code of your computer (accessed on a Mac via 'Terminal'), you'll never come in direct contact with Bash (read more about what exactly Bash is in this Vox explainer).

However, the researcher in this case was certainly not doing anything harmful – she was doing what a lot of people in the coding community do, testing for weaknesses in the code that could be exploited by people with malicious intentions. Unfortunately, if word of what these testers are doing becomes public, it's the perfect opportunity for attackers to jump in and try to take advantage of the situation. The secret is, in situations like Shellshock, to keep bugs quiet until a fix can be created and deployed.

"A lot of companies have 'bug bounty' programs where they pay you, instead of you publishing publicly what you found," said Satnam Narang, Security Response Manager at Symantec in an interview with Yahoo Canada News.

The amount of money someone who identifies these bugs can make ranges between $100 and $5,000, depending on the company and how significant the bug is. One of the highest-profile cases of this was when a Palestinian IT expert, Khalil Shreateh, posted his findings directly to Mark Zuckerberg's wall. His actions exempted him from receiving the cash reward, since the flaw he found became so public.


Related stories:

Hackers find a flaw in Macs, controlling 17,000 Apple computers through Reddit

Why a dangerous security flaw in USB devices is putting computers at risk

Oracle warns more than 30 products are vulnerable to 'Shellshock'


The reason for the bounty programs is that companies are often the target of online attackers now. Instead of gaining access to your personal bank account, it's much more profitable for an attacker to target a weakness in a company's system and gain thousands of credit card numbers in one go.

"Instead of a spray-and-pray approach, we're seeing large companies targeted," Narang said, refering to the previously relied-upon method of sending out thousands of emails to users and hoping five to ten per cent of the recipients will click the enclosed link. "These attackers aren't going after your computer or my computer, they're going after servers."

In many cases, the bugs that attackers could exploit on company servers are solved behind the scenes, before anyone knows. In the case of a bug affecting your browser, a program you use, or your computer operating system, the company who makes it will send out a patch to fix the problem.

That's where the user comes in: Narang says that the most common advice he and his team give people is to install patches right away, as more often than not, the bugs that attackers exploit are the ones there already patches out for.

"Shellshock or not Shellshock, targeted attacks are still out there, so make sure you're applying patches for your operating systems and browsers," said Narang.

While the shift in tactics by attackers is towards corporations, there are still some attacks aimed towards individuals, too. And when there's a high-profile bug in the news, that's when attackers are likely to move into action.

"Be careful, because a hacker may take advantage of the confusion and misinformation out there, and send out an email asking you to change your Facebook password," Narang said, highlighting one of the common tactics attackers are now using to take advantage of users.

Narang says that attackers are increasingly turning to 'ransomware' when attacking unsuspecting computer users. With ransomware, a user's access to their own computer is restricted when it gets infected with the malware. In order to gain access again, the attacker who created the malware will extort the user for money in order to remove the program. A survey released today by Webroot found that ransomware threats are of concern to 88 per cent of IT professionals.

"The amout of money these guys are making is mind-boggling," Narang said.

You might have previously heard of Cryptolocker, a specific kind of ransomware that infects files on the user's computer with a very sophisticated encryption that prevents the user from accessing those files, CCi explains.

The best way to protect yourself against these kind of threats is a strong defence. Like Narang said, installing patches for your programs and operating systems is key to keeping them protected from known threats. Likewise, when a company advises users to change their passwords because of a security breach, it's wise to follow that advice. And if you receive emails or, increasingly, Facebook messages from people you don't recognize or company emails that just don't seem quite right, don't click any links or send any information like passwords or Apple IDs if requested.

The attacks online may be changing, but it's the same weapon that will ultimately help prevent you from falling victim: common sense.

(Photo via Vulcan Post)

Need to know what’s hot in tech?
Follow @YRightClick on Twitter!