Monthly Archives: November 2014

Shellshock – what you need to know.

A post from Advent IM Consultant, Dale Penn

Shellshock what you need to know!

INTRODUCTION

First of all what is the Shellshock software bug? Shellshock (sometimes known as Bashdoor) is a group of security vulnerabilities which were found in the Unix Bash Shell.

That can be pretty confusing for the average user so here is a small break down.

Unix is a term used to describe any operating system that uses among other things shell scripting and resembles the “Unix Philosophy” the most common of which are Apple’s OS X and Linux operating systems.

BASH - Shellshock

Apple….other fruits are available

Shell is a user interface to an operating systems services.

Bash Shell is the default shell on Linux and Apple’s OS X operating systems.

THE VULNERABILITY

Bash is a shell that allows a user to input on Linux , Unix and Apple’s OS X operating systems. This can be achieved remotely using network protocols such as telnet and SSH which are protocols used to connect to remote servers in order to facilitate some sort of communications. Therefore this vulnerability can be exploited over a network!

Also this vulnerability requires no authorisation to exploit and could impact on the Confidentiality, integrity and availability of your information.

As such the US Department of Homeland Security have given Shellshock a 10 out of 10 in vulnerability severity (CVE-2014-6271 and CVE-2014-7169)

Chet Ramey a senior technology architect at Case Western Reserve University in Ohio, has been maintaining the Bash open source project and believes Shellshock has been present in Bash for around 22 years and is due to a new feature introduced in 1992.

SO WHAT?

Shellshock was announced on the 24 Sep 2014 and within hours there were reports of machines being compromised using the Shellshock vulnerability.  These compromised machines were used by hackers to create botnets. Botnets are a network of compromised computers that can be controlled remotely by the hacker. Hackers can then use the botnet to carry out attacks. The most common of which is a Directed Denial of Service (DDOS) attack where the attacker uses the members of his botnet to make a request of a specific target. The aim being to flood the target with so many requests that the target is then unable to function properly.

On 26 Sep 2014 a botnet named “wopbot”, which was created using the Shellshock vulnerabilities, was reported to have been used to carry out a DDOS attack against Akamai Technologies and to scan the United States Department of Defence!

WHAT SHOULD I DO?

Home/Office Computers

If you are using Microsoft home or office operating systems then you do not need to do anything as this vulnerability does not affect Microsoft.  However if you are running Unix, Linux or Apple’s OS X you need to download and apply the latest patches without delay! Patches have been made available by several suppliers to remediate this vulnerability.

Mobile Devices

It is not believed that iOS or android is vulnerable to the Shellshock attack however mobile devices can be vulnerable if you have customised your device (Jail broken your Apple device or use customised ROM’s on an android device). If you customised your device than you should consider carrying out the following: 

  • For an Jail broken apple device there is an updated version of Bash available on Cydia
  • If you are using customised ROM’s on your android device the XDA developers site has a link to an updated Bash shell (4.3.30)

Other Devices

Do not forget that many household items also connect to the internet I one form or another. It is important to keep these updated also to ensure your information the best protection. Instructions on how to carry this out will come with your product instruction manual and should be relatively straight forward.

 

 

 

 

 

Advertisements

ISO27001:2013 Transition Training now available!

**PRESS RELEASE**                                                                 Media Contact: Ellie Hurst

 +44 (0) 121 559 6699,

bestpractice@advent-im.co.uk

Date :05 Nov 2014

ISO27001 Transition Training now available

Information Security experts, Advent IM, today announced the launch of ISO27001:2013 transition training course.

Last year, the de facto Information Security standard ISO/IEC27001 underwent changes and some important alterations have been made to various controls and clauses. This means that organisations who are already certified or compliant to ISO27001:2005 are now having to think about transitioning their Information Security Management System to the 2013 version. Because of this, organisations have increasingly been seeking support in successfully completing this transition. Advent IM, stepped up to the mark after the initial release of the new version, with a tool to help businesses already certified to map the controls and clauses against the 2005 version. But the growth in requests for further support has been marked and the team of specialists at Advent IM were asked to provide a tailored made course for those currently certified or compliant to ISO27001:2005 to transition to 2013.

Advent IM today announced the availability of this bespoke course which will work alongside the mapping tool to support Information Security Managers who are navigating their way through the changes. Advent IM’s track record in both successful certifications and in Information Security training, make it perfectly placed to offer this training.  Operations Director, Julia McCarron said, “We were very pleased to be asked to supply this support. It’s great to know organisations continue to take their commitment to quality Information Security Management Systems seriously. ISO27001 has proven to be an enormously helpful framework; its comprehensive nature makes it a solid choice for a holistic approach to securing information assets. The transition to ISO27001:2013 need not be onerous; we are highly experienced with this standard and our vision is to help organisations have as smooth and successful a transition as possible.”

Details on how to secure a place can be found on the website at

www.Advent-IM.co.uk/opencourses.aspx

Issued: 051114                  Ends                                     Ref: ISO27001:2013/ Advent – 1

 

 

NOTES TO EDITORS

 

About Advent IM

Advent IM is an independent specialist consultancy, focusing on holistic security management solutions for information, people and physical assets, across both the public and private sectors. Established in 2002, Advent IM is a centre of excellence for security services, promoting the benefits of best practice guidelines and standards and the need to address risk management to protect against potential threats.

 
From its offices in the Midlands and London, its Consultants work nationwide and are members of the CESG Listed Advisor Scheme (CLAS), Institute of Information Security Professionals (IISP), The Security Institute (SyI), Business Continuity Institute and British Computer Society.

Consultants are also Lead Auditors for the International standard for information security management (ISO 27001) and business continuity management (ISO 22301), Practitioners of PRINCE2, a recognised project management methodology widely used within the public sector, CISSP qualified and Home Office trained physical security assessors.

 

Some places left on our HMG Accreditation Concepts Course in December

As usual, these will be allocated on a first come-first served basis.

Designed to help delegates understand the HMG accreditation process and how to identify, assess and treat risks appropriately following the guidance in IAS Stds 1&2, associated supplement and GPG47. This course is only open to public sector employees. Please contact us for further information on 0121 559 6699.

Advent IM HMG accreditation concepts training

Please book via the website

Full details of how to book available from the training area of the website