Pub. 9 2014-2015 Issue 4

November | December 2014 25 Extraordinary Service for Extraordinary Members. B Y NOW, YOU LIKELY HAVE HEARD ABOUT THE MOST recently identified critical vulnerability known as the “bash bug,” or “Shellshock,” whichmay affect up to 70 percent of devices connected to the Internet. The affected software application, “Bash” (the Bourne Again Shell), is present on most Linux, BSD, and Unix systems, in- cluding Mac OS X. New packages were released recently, but further investigation made it clear that the patched version may still be exploitable, and at the very least can be crashed due to additional vulnerabilities. In addition, the FDIC re- leased a FIL 49-2014 on Sept. 29 that specifically addressed the Bash vulnerability. Shellshock Versus Heartbleed Heartbleed exploited a weakness found on one of the most prevalent webserver operating systems on the Internet at the time of its discovery. Heartbleed allowed an attacker to pull an unlimited amount of data by attacking the webserver with a simple challenge/response, and was undetectable to the system administrator. While Heartbleed is certainly a formi- dable vulnerability, an attacker could only access information in active memory while initiating the challenge/response. Shellshock, on the other hand, allows a remote attacker to not only gain unauthorized access, but also perform privi- lege escalation, or infect vulnerable systems with malware. Furthermore, Shellshock is not limited to webservers only. Shellshock may affect any system running a vulnerable ver- sion of any Linux, BSD, and Unix system, including Mac OS X. Therefore this is not just an issue for system administra- tors managing web-facing applications, but end users as well. Lessons Learned From Heartbleed Heartbleed was released in April. Yet in the month of September, 50 percent of Internal Vulnerability Assessments performed by Secure Banking Solutions found at least one instance of the Heartbleed Vulnerability on a financial institu- tion’s internal networks. You might ask yourself, “Why does it matter if Heartbleed exists internally? An external attacker cannot exploit an internal vulnerability!” Unfortunately that isn’t entirely true. It is true that an external attacker cannot directly attack an internal vulnerability. However, an external attacker can attack an internal vulnerability once an internal foothold is established.  Real and Present Danger — continued on page 26 Real & Present Danger Shellshock and Lessons Learned From Heartbleed Cody Delzer , CISA, Senior Information Security Consultant, Secure Banking Solutions

RkJQdWJsaXNoZXIy OTM0Njg2