Salinas tech expert warns about ‘Shellshock’ bug

shell

A computer bug that a Salinas security expert said is infecting computers without the users being aware has the potential to allow hackers to take over an entire device.

Luis Alvarez, president and chief executive of Alvarez Technology Group, said Wednesday that the “Shellshock” software bug is in some ways more significant than “Heartbleed,” which began attacking computers last spring. While Heartbleed could be used to steal passwords from a server, Shellshock can be used to take over the entire machine, Alvarez said.

The bug attacks computers running Unix or Linux operating systems, which generally run on larger enterprise-level servers that businesses use. It does not directly attack Windows or Android operating systems, but it is still dangerous for those machines.

A program running on Unix or Linux, called “Bash” – a sort of a software interpreter that executes commands from a user. On a Windows machine, it is similar to “command.exe.” It’s clever because it doesn’t act like an attacking virus.

The Bash program thinks it’s just another executable command. But once Bash is infected, Shellshock sends an encrypted message back to the “mothership” residing in Eastern Europe or other locations with lax security. At that point, the hacker’s computer begins to download what’s called “malware.”

Malware is short for “malicious software.” Malware is any kind of unwanted software installed without your adequate consent. Viruses, worms and Trojan horses are examples of malicious software.

One example of malware Alvarez offered up is “keyloggers.” This bug can log what keys you are typing on your keypad. Let’s say you are an Amazon.com customer, and you log into your account. A keylogger will track what keys you hit, providing it with a URL, username and password. The next thing you know, your credit card is debited for thousands of dollars of Amazon merchandise.

So what Shellshock does is open the gate of a Unix or Linus system to let all the malware the hacker wants to download into your computer.

“It’s like a back door into someone’s system,” Alvarez said.

If you are running Windows on your home PC, Shellshock won’t load on your computer. But here’s the danger: If you are conducting transactions or other activities with a Unix-based server operating a website, for example, and the website server is infected with Shellshock, then all that malware that now has the green light can be downloaded to your PC and begin the dirty work.

An official alert from the National Institute of Standards and Technology warned that that the vulnerability was a 10 out of 10 in terms of its severity, impact and exploitability. At the same time, it is very easy to use by hackers.

There are computer patches available from the particular makers of Unix or Linux operating systems loaded at the time of the computer purchase. The problem, Alvarez said, is that there is no indication anything is wrong with a computer.

This is not something even savvy computer users should attempt by themselves.

“This level of security best left to professionals,” Alvarez said. “It might create more problems than you solve.”

The Department of Homeland Security’s Computer Emergency Readiness Team advised users and technology administrators to refer to their Linux or Unix-based operating systems suppliers for an appropriate patch.

A piece of advice for Unix and Linux users: If you’re running Bash 4.3 or older, Alvarez recommends upgrading to the most current version.

Dennis L. Taylor covers business and technology for TheCalifornian.com. Follow him on Twitter @taylor_salnews.

Hi Tech Crime Solutions